Skip to content

Commit 8729270

Browse files
authored
Merge pull request #45158 from github/repo-sync
Repo sync
2 parents 7b241e5 + d54dcfa commit 8729270

32 files changed

Lines changed: 444 additions & 174 deletions

File tree

Dockerfile

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -10,7 +10,7 @@
1010
# ---------------------------------------------------------------
1111
# To update the sha:
1212
# https://github.com/github/gh-base-image/pkgs/container/gh-base-image%2Fgh-base-noble
13-
FROM ghcr.io/github/gh-base-image/gh-base-noble:20260708-113537-g661fe65de@sha256:894162a6b21fc03da8ba889760592e6e223ba76f3067723f93bd1e49aff1c46b AS base
13+
FROM ghcr.io/github/gh-base-image/gh-base-noble:20260713-090615-gb0d388add@sha256:8708e26b53b2304cf8d933be5e8fbca4fa4d07b3ba6e4be238372a5d3029e443 AS base
1414

1515
# Install curl for Node install and determining the early access branch
1616
# Install git for cloning docs-early-access & translations repos
115 KB
Loading

content/admin/enforcing-policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-code-security-and-analysis-for-your-enterprise.md

Lines changed: 17 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -120,3 +120,20 @@ Across all of your enterprise's organizations, you can allow or disallow people
120120
> This policy controls the use of {% data variables.copilot.copilot_autofix_short %} on results found by {% data variables.product.prodname_code_scanning %} security queries only. {% data variables.copilot.copilot_autofix_short %} is an integral part of {% data variables.product.prodname_code_quality %} and cannot be disabled for that feature.
121121
122122
{% endif %}
123+
124+
{% ifversion ai-powered-security-detections %}
125+
126+
## Enforcing a policy to manage the use of AI-powered security detections in your enterprise's repositories
127+
128+
As an enterprise owner, you can control whether organization and repository administrators can enable AI-powered security detections for their organizations and repositories. This policy is set to "Not allowed" by default.
129+
130+
Allowing AI-powered security detections at the enterprise level does not enable the feature. Organization administrators must still explicitly enable AI-powered security detections. Repository administrators can opt-out of the feature.
131+
132+
This policy only takes effect if {% data variables.product.prodname_codeql %} default setup is enabled.
133+
134+
{% data reusables.enterprise-accounts.access-enterprise %}
135+
{% data reusables.enterprise-accounts.policies-tab %}
136+
{% data reusables.enterprise-accounts.code-security-and-analysis-policies %}
137+
1. Under "AI Findings", select the dropdown menu and click a policy.
138+
139+
{% endif %}

content/authentication/authenticating-with-single-sign-on/authorizing-an-app-for-single-sign-on.md

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -24,11 +24,11 @@ Apps are automatically authorized for all of the organizations you have an SSO s
2424

2525
If you sign into an app but it is unable to access an organization you belong to, first check that the app is approved or installed for the organization. If it is, you then need to sign into that organization's SSO providers using the following steps:
2626

27-
1. Go to your [organization settings](https://github.com/settings/organizations).
28-
1. Under "Single sign-on", find the organization you need to authenticate to, and click **Sign in**.
27+
1. Go to your [single sign-on settings](https://github.com/settings/sso).
28+
1. Find the organization you need to authenticate to, and click **Sign in**.
2929
If your enterprise manages SSO for your organization, signing in to one organization in the enterprise works as an SSO session for all organizations in the enterprise.
3030

31-
1. Try to sign into the the app again. When you are authorizing the app you will see the organizations you've signed into and be able to request or install the app for those organizations.
31+
1. Try to sign into the app again. When you are authorizing the app, you will see the organizations you've signed into and be able to request or install the app for those organizations.
3232

3333
For more information, see [AUTOTITLE](/apps/using-github-apps/installing-a-github-app-from-a-third-party), [AUTOTITLE](/apps/using-github-apps/installing-a-github-app-from-github-marketplace-for-your-organizations), and [AUTOTITLE](/apps/using-github-apps/requesting-a-github-app-from-your-organization-owner).
3434

Lines changed: 77 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,77 @@
1+
---
2+
title: AI-powered security detections in pull requests
3+
shortTitle: AI-powered security detections
4+
allowTitleToDifferFromFilename: true
5+
intro: 'AI-powered security detections use an AI-based scanning engine to find security vulnerabilities in pull requests for languages and frameworks not covered by {% data variables.product.prodname_codeql %}.'
6+
versions:
7+
feature: ai-powered-security-detections
8+
contentType: concepts
9+
category:
10+
- Find and fix code vulnerabilities
11+
---
12+
13+
> [!NOTE]
14+
> AI-powered security detections are currently in {% data variables.release-phases.public_preview %} and subject to change.
15+
16+
AI-powered security detections are additional security findings produced by an AI-based scanning engine that runs on pull requests and complements {% data variables.product.prodname_codeql %}. Unlike {% data variables.product.prodname_codeql %} alerts, AI-powered findings are only available on pull requests and do not appear as backlog alerts in the repository's security view.
17+
18+
While {% data variables.product.prodname_codeql %} provides high-precision static analysis for a specific set of supported languages and queries, many repositories use languages and frameworks that {% data variables.product.prodname_codeql %} does not cover. AI-powered detections expand {% data variables.product.prodname_code_scanning %} coverage into these areas, helping you find vulnerabilities without adding new tools or configuration.
19+
20+
During the {% data variables.release-phases.public_preview %}, AI-powered security detections require a {% data variables.product.prodname_GHAS %} license and a {% data variables.product.prodname_copilot %} license.
21+
22+
Usage consumes {% data variables.product.prodname_ai_credits_short %}. See [AUTOTITLE](/copilot/concepts/billing/usage-based-billing-for-organizations-and-enterprises).
23+
24+
## How AI-powered security detections work
25+
26+
AI-powered security detections run automatically on pull requests in repositories where {% data variables.product.prodname_codeql %} default setup is enabled and AI-powered detections have been opted into. The AI-based scan is triggered on pull request creation and after each new commit, the same as {% data variables.product.prodname_codeql %}.
27+
28+
AI-powered findings are advisory and do not block pull request merges. They provide signals about where code security can be improved without interrupting your workflow.
29+
30+
The AI scanning engine works directly with the code in the pull request and does not require a build system. It uses tools such as code search to gather additional context from the repository when deciding whether to flag an issue. It uses its own specialized prompts and does not use custom instruction files such as `/.github/copilot-instructions.md` or `/CLAUDE.md`.
31+
32+
The AI scan runs independently of {% data variables.product.prodname_codeql %}'s status. If {% data variables.product.prodname_codeql %} default setup fails or is in a waiting state, AI-powered detections will still run.
33+
34+
Results are posted to the pull request as they are found. If the {% data variables.product.prodname_codeql %} scan takes longer to complete, you may see AI-powered findings before {% data variables.product.prodname_codeql %} results appear, or vice versa.
35+
36+
## How findings appear on pull requests
37+
38+
AI-powered findings appear alongside {% data variables.product.prodname_codeql %} alerts on the **Conversation** and **Files changed** tabs of a pull request. Each AI-powered finding is labeled with an "AI" indicator so you can distinguish it from {% data variables.product.prodname_codeql %} alerts.
39+
40+
Each finding includes a description of the security issue and an explanation of the risk. Most findings also include a suggested remediation, but not every finding has one. Where a suggested remediation is available, {% data variables.copilot.copilot_autofix_short %} is included and provides a recommended code change to fix the issue, the same way it does for {% data variables.product.prodname_codeql %} alerts. Findings also include a thumbs up/down feedback mechanism that helps improve detection quality over time.
41+
42+
## Limitations
43+
44+
* AI-powered security detections analyze pull requests only. Full repository scans are not supported.
45+
* AI-powered findings cannot yet be used in rulesets to enforce merge requirements
46+
* Detection categories and supported languages may change as the feature evolves.
47+
* As with any AI-based tool, findings may include false positives. Use the feedback mechanism to report inaccurate results.
48+
49+
## Supported languages
50+
51+
AI-powered security detections are designed to cover languages and frameworks that are not currently supported by {% data variables.product.prodname_codeql %}. This includes, but is not limited to, languages such as PHP, Shell/Bash, Terraform configuration (HCL), and Dockerfiles, as well as framework coverage gaps such as JSP for Java and Blazor for C#.
52+
53+
For a full list of languages supported by {% data variables.product.prodname_codeql %}, see [AUTOTITLE](/code-security/concepts/code-scanning/codeql/about-code-scanning-with-codeql#supported-languages-and-frameworks).
54+
55+
## Detection categories
56+
57+
AI-powered security detections currently cover the following categories. These categories describe how findings are classified. The AI scanner may evolve over time as models improve.
58+
59+
* **String injection** — Unsafe string-built SQL, HTML, shell, JSON, or YAML with missing or incorrect escaping or sanitization.
60+
* **Weak cryptography** — Weak algorithms, small keys, insecure randomness, missing encryption, or weak password hashing.
61+
* **Broken access control** — Path traversal, CSRF gaps, or user-driven open redirects.
62+
* **Sensitive data exposure** — Secrets, tokens, passwords, or stack traces stored, logged, or sent without adequate protection.
63+
* **Security misconfiguration** — Risky defaults or settings, such as disabling security controls or enabling debug features.
64+
* **Authentication failures** — Missing TLS or validation, insecure authentication flows, or missing rate limiting.
65+
* **Data integrity failures** — Unsafe deserialization, HTTP for sensitive actions, prototype pollution, or executing untrusted content.
66+
* **Server-side request forgery (SSRF)** — Server fetches attacker-controlled URLs, hosts, or protocols.
67+
* **Supply chain risks** — Unpinned third-party actions, packages, or images, or downloads without integrity checks.
68+
69+
## Enabling AI-powered security detections
70+
71+
AI-powered security detections are not allowed at the enterprise level by default and disabled at the organization and repository levels. Enterprise administrators must explicitly allow the feature before organizations can enable it. Organization administrators must explicitly opt in to the feature. Repository administrators can opt-out of the feature. Additionally, you need to have the {% data variables.product.prodname_codeql %} default setup enabled.
72+
73+
You do not need to select a model to enable AI-powered security detections.
74+
75+
* **Enterprise**: The **AI Findings** policy under "Code Security" controls whether organizations can enable the feature. See [AUTOTITLE](/admin/enforcing-policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-code-security-and-analysis-for-your-enterprise#enforcing-a-policy-to-manage-the-use-of-ai-powered-security-detections-in-your-enterprises-repositories).
76+
* **Organization**: The **AI findings** setting under "Code scanning" enables AI-powered detections for repositories in the organization. See [AUTOTITLE](/code-security/how-tos/secure-at-scale/configure-organization-security/establish-complete-coverage/configuring-global-security-settings-for-your-organization#enabling-ai-powered-security-detections).
77+
* **Repository**: The **AI findings** toggle under "Code scanning" enables or disables AI-powered detections for the individual repository. Repositories inherit the organization setting but can opt out individually.
Lines changed: 45 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,45 @@
1+
---
2+
title: About autofix for code scanning
3+
shortTitle: Autofix
4+
allowTitleToDifferFromFilename: true
5+
intro: 'Autofix provides targeted recommendations to help you fix {% data variables.product.prodname_code_scanning %} alerts and avoid introducing new security vulnerabilities.'
6+
product: '{% data reusables.rai.code-scanning.gated-feature-autofix %}'
7+
versions:
8+
feature: code-scanning-autofix
9+
contentType: concepts
10+
category:
11+
- Find and fix code vulnerabilities
12+
redirect_from:
13+
- /code-security/concepts/code-scanning/copilot-autofix-for-code-scanning
14+
---
15+
16+
Autofix provides you with targeted recommendations to help you fix {% data variables.product.prodname_code_scanning %} alerts so you can avoid introducing new security vulnerabilities. The potential fixes are generated automatically by large language models (LLMs) using data from the codebase and from {% data variables.product.prodname_code_scanning %} analysis.
17+
18+
## How autofix works
19+
20+
Autofix translates the description and location of a {% data variables.product.prodname_code_scanning %} alert into code changes that may fix it. It interfaces with the large language model {% data variables.copilot.copilot_gpt_53_codex %} from OpenAI, which has sufficient generative capabilities to produce both suggested fixes in code and explanatory text for those fixes.
21+
22+
There are two ways to get a fix for an alert: agentic autofix and {% data variables.copilot.copilot_autofix_short %}. If {% data variables.copilot.copilot_cloud_agent %} is available in a repository, assigning an alert uses agentic autofix instead of {% data variables.copilot.copilot_autofix_short %}.
23+
24+
## Agentic autofix
25+
26+
> [!NOTE] This feature is currently in public preview and is subject to change.
27+
28+
Assign a {% data variables.product.prodname_code_scanning %} alert to {% data variables.product.prodname_copilot_short %} to have it resolve the alert for you. Assigning an alert starts an agent session: {% data variables.copilot.copilot_cloud_agent %} calls tools to explore your codebase beyond the affected file, generates a fix, validates it (for example, by re-running {% data variables.product.prodname_codeql %}), and iterates until it opens a pull request with the changes. See [AUTOTITLE](/code-security/how-tos/manage-security-alerts/manage-code-scanning-alerts/resolve-alerts#fixing-alerts-with-copilot).
29+
30+
Keep the following in mind:
31+
32+
* Agentic autofix requires {% data variables.copilot.copilot_cloud_agent %} and {% data variables.copilot.copilot_autofix_short %} to be available in the repository. If {% data variables.copilot.copilot_cloud_agent %} isn't available, assigning an alert falls back to {% data variables.copilot.copilot_autofix_short %} instead.
33+
* Each agentic autofix session is billed as a {% data variables.copilot.copilot_cloud_agent %} session and consumes {% data variables.product.prodname_ai_credits_short %}. See [AUTOTITLE](/copilot/concepts/agents/cloud-agent/about-cloud-agent#copilot-cloud-agent-usage-costs).
34+
* {% data variables.product.prodname_copilot_short %} follows any custom instructions configured for the repository or organization when it generates a fix.
35+
* Agentic autofix works on a best-effort basis. {% data variables.product.prodname_copilot_short %} validates fixes by re-running {% data variables.product.prodname_codeql %} using the code-scanning query suite, so it can't confirm that a fix resolves alerts generated by custom queries or the security-extended query suite. Fix quality for alerts from third-party tools is also not guaranteed.
36+
37+
## Getting a suggested fix with {% data variables.copilot.copilot_autofix_short %}
38+
39+
{% data variables.copilot.copilot_autofix_short %} generates a single suggested fix for an alert, which you review and apply yourself.
40+
41+
You do not need a subscription to {% data variables.product.prodname_copilot %} to use {% data variables.copilot.copilot_autofix %}, and it does not consume {% data variables.product.prodname_ai_credits_short %}. {% data variables.copilot.copilot_autofix_short %} is available to all public repositories on {% data variables.product.prodname_dotcom_the_website %}, as well as internal or private repositories owned by organizations and enterprises that have a license for {% data variables.product.prodname_GH_code_security %}.
42+
43+
{% data variables.copilot.copilot_autofix_short %} is allowed by default and enabled for every repository that uses {% data variables.product.prodname_codeql %}, regardless of whether it uses default or advanced setup for {% data variables.product.prodname_code_scanning %}. There is no separate step to enable {% data variables.copilot.copilot_autofix_short %}: enabling {% data variables.product.prodname_code_scanning %} with {% data variables.product.prodname_codeql %} is sufficient. See [AUTOTITLE](/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning).
44+
45+
Administrators at the enterprise, organization, and repository levels can choose to disable {% data variables.copilot.copilot_autofix_short %}. If {% data variables.copilot.copilot_autofix_short %} has been disabled at your level, you can re-enable it by following the same steps used to disable it and selecting the option to allow {% data variables.copilot.copilot_autofix_short %}. To learn how to manage {% data variables.copilot.copilot_autofix_short %} at each level, see [AUTOTITLE](/code-security/how-tos/manage-security-alerts/manage-code-scanning-alerts/disabling-autofix-for-code-scanning).

0 commit comments

Comments
 (0)