Merge pull request #49986 from ShawnKupfer/WB1746

AB#1044032: Manage sensitive data and security policies within GitHub

Author: JillGrant615

learn-pr/github/manage-sensitive-data-security-policies/1-introduction.yml

@@ -5,7 +5,7 @@ metadata:
   unitType: introduction
   title: Introduction
   description: Learn how to manage sensitive data and security policies within GitHub.
-  ms.date: 05/03/2024
+  ms.date: 04/14/2025
   author: a-a-ron
   ms.author: aastewar
   ms.topic: unit

learn-pr/github/manage-sensitive-data-security-policies/2-set-security-policies.yml

@@ -5,7 +5,7 @@ metadata:
   unitType: learning-content
   title: Setting security policies 
   description: Learn about preventative measures you can take to maintain the health of your GitHub repositories.
-  ms.date: 05/03/2024
+  ms.date: 04/14/2025
   author: a-a-ron
   ms.author: aastewar
   ms.topic: unit

learn-pr/github/manage-sensitive-data-security-policies/3-scrub-sensitive-data-from-repository.yml

@@ -5,7 +5,7 @@ metadata:
   unitType: learning-content
   title: Create and manage repository rulesets
   description: Learn about tools to help prevent committing sensitive data.
-  ms.date: 05/03/2024
+  ms.date: 04/14/2025
   author: a-a-ron
   ms.author: aastewar
   ms.topic: unit

learn-pr/github/manage-sensitive-data-security-policies/4-report-logs.yml

@@ -5,7 +5,7 @@ metadata:
   unitType: learning-content
   title: Reporting and logging 
   description: Learn what your organization's audit log records, and how to access and export it.
-  ms.date: 05/03/2024
+  ms.date: 04/14/2025
   author: a-a-ron
   ms.author: aastewar
   ms.topic: unit

learn-pr/github/manage-sensitive-data-security-policies/5-exercise.yml

@@ -5,7 +5,7 @@ metadata:
   unitType: exercise
   title: Exercise - Remove commit history 
   description: Test your knowledge on removing a commit from the git history of a repository. It is automatically graded via a workflow after you complete the instructions.
-  ms.date: 05/03/2024
+  ms.date: 04/14/2025
   author: a-a-ron
   ms.author: aastewar
   ms.topic: unit

learn-pr/github/manage-sensitive-data-security-policies/6-knowledge-check.yml

@@ -5,7 +5,7 @@ metadata:
   unitType: knowledge_check
   title: Module assessment
   description: Check what you learned - Manage sensitive data and security policies module
-  ms.date: 05/03/2024
+  ms.date: 04/14/2025
   author: a-a-ron
   ms.author: aastewar
   ms.topic: unit
@@ -45,13 +45,13 @@ quiz:
       explanation: "A security advisory should be comprehensive, including the following information: product and versions affected, severity, types of security weaknesses addressed by the project owners' actions, impact, status of patches, and workarounds."
     - content: "Severity and exposure list."
       isCorrect: false
-      explanation: "Exposure list research can help to determine if the vulnerability you're patching matches an existing entry, but not needed for the security advisory."
+      explanation: "Exposure list research can help to determine if the vulnerability you're patching matches an existing entry, but it's not needed for the security advisory."
     - content: "Administrator name and severity."
       isCorrect: false
-      explanation: "The administrator name would be unneeded and a security risk if provided publicly. Exposure list research can help to determine if the vulnerability you're patching matches an existing entry, but not needed for the security advisory."
+      explanation: "The administrator name would be unneeded and a security risk if provided publicly. Exposure list research can help to determine if the vulnerability you're patching matches an existing entry, but it's not needed for the security advisory."
     - content: "Exposures list and administrator name."
       isCorrect: false
-      explanation: "Exposure list research can help to determine if the vulnerability you're patching matches an existing entry, but not needed for the security advisory. The administrator name would be unneeded and a security risk if provided publicly."
+      explanation: "Exposure list research can help to determine if the vulnerability you're patching matches an existing entry, but it's not needed for the security advisory. The administrator name would be unneeded and a security risk if provided publicly."
   - content: "Which two pieces of information are included in your organization's log?"
     choices:
     - content: "The user that performed the action and the date and time of the action."

learn-pr/github/manage-sensitive-data-security-policies/7-summary.yml

@@ -5,7 +5,7 @@ metadata:
   unitType: summary
   title: Summary
   description: Summary of managing sensitive data and security policies within GitHub.
-  ms.date: 05/03/2024
+  ms.date: 04/14/2025
   author: a-a-ron
   ms.author: aastewar
   ms.topic: unit

learn-pr/github/manage-sensitive-data-security-policies/includes/2-set-security-policies.md

@@ -1,6 +1,6 @@
 In this unit, you'll learn more about the preventive measures you can take to maintain the health of your GitHub repositories.
 
-Suppose you're an administrator who is helping to onboard many new collaborators to your organization. You need to make sure they contribute to the proper repositories and have easy access to assistance if they discover a security threat. To do this, you set security policies.
+Suppose you're an administrator who's helping to onboard many new collaborators to your organization. You need to make sure they contribute to the proper repositories and have easy access to assistance if they discover a security threat. To do this, you set security policies.
 
 :::image type="content" source="../media/setting-security-policies.png" alt-text="Three screenshots stacked on each other, slightly offset, which show community health files in a repository and settings for an organization.":::
 
@@ -63,11 +63,11 @@ GitHub uses and displays these default files for any repository owned by the acc
 
 ## Security settings
 
-The other component of creating robust security policies is taking advantage of GitHub's built-in security settings and features. Imagine you're onboarding collaborators whose scope of work varies; some are part of focused teams to implement a feature, while others are responsible for watching over the code base for issues, and a few others might need to assist you with administrative duties. In this section, you'll learn about settings that define user permissions and allow automation of common security tasks.
+The other component of creating robust security policies is taking advantage of GitHub's built-in security settings and features. Imagine you're onboarding collaborators whose scope of work varies; some are part of focused teams to implement a feature, while others are responsible for watching over the code base for issues, and a few others might need to assist you with administrative duties. In this section, you'll learn about settings that define user permissions and allow you to automate common security tasks.
 
 ### Change settings according to a trust and control position
 
-Every organization has a trust and control position: circumstances that determine how much trust you can safely extend to individual collaborators and teams, and how much control you need to maintain over basic permissions.
+Every organization has a trust and control position: circumstances that determine how much trust you can safely extend to individual collaborators and teams and how much control you need to maintain over basic permissions.
 
 If your organization is a new business with a small team, it likely has few moving parts and few areas of potential security vulnerability. After all, when team members work in the same office or in nearby time zones, it's easy to identify who can take specific actions and how to contact them. In this case, you can safely trust most or all collaborators with high levels of access and capability.
 
@@ -106,22 +106,21 @@ As you can see, settings that Enterprise administrators enforce cascade down to
 Changing security settings at the organization level or for all organizations covered by the Enterprise plan is powerful, because it can standardize user capabilities during unusual circumstances. In the preceding example, you might need to restrict capabilities to all but a few users for an organization—or even for the whole enterprise—in response to a security threat. In contrast, you could temporarily allow greater capabilities to all users in an organization during a rare development effort where you need help from extra personnel.
 
 > [!NOTE]
-> Available settings and tools differ based on the type of repository. In addition,
-> these settings and features differ in their level of required user interaction.
+> Available settings and tools differ based on the type of repository. In addition, these settings and features differ in their level of required user interaction.
 
 :::image type="content" source="../media/availability-interaction.png" alt-text="Diagram of a four-quadrant graph, divided by x and y axes, which categorizes security settings by availability to users (x axis) and required level of interaction (y axis).":::
 
 ### What kinds of security settings are available to administrators?
 
 Access restrictions, security documentation, advisories, Dependabot alerts and security updates, Dependabot version updates, and the GitHub dependency graph are available for all repositories. Documentation and advisories require the most significant manual interaction, but applying Dependabot to your code base automates parts of the security process, up to and including updating dependencies.
 
-Code scanning alerts, secret scanning alerts, and dependency review provide further automation to the security process. Enabling these GitHub features will flag vulnerabilities in code submitted to a repository, highlighting suspicious code. However, these features are only available for private repositories with an Advanced Security license or public repositories.
+Code scanning alerts, secret scanning alerts, and dependency review provide further automation to the security process. Enabling these GitHub features flags vulnerabilities in code submitted to a repository, highlighting suspicious code. However, these features are only available for private repositories with an Advanced Security license or public repositories.
 
 If you have a security vulnerability, you can create a security advisory to privately discuss and fix the vulnerability.
 
 ## Security advisories
 
-You've been vigilant in your efforts to maintain healthy code, establishing clear policies and enacting settings to help collaborators work within their scope. But despite your team's efforts, someone identified a vulnerability in published code. This happens to every team sooner or later--no one is perfect.
+You've been vigilant in your efforts to maintain healthy code, establishing clear policies and enacting settings to help collaborators work within their scope. But despite your team's efforts, someone identified a vulnerability in published code. This happens to every team sooner or later; no one is perfect.
 
 When you identify a security threat, your team's response will go beyond patching offending sections of code. In this section, you'll learn the basics of the GitHub security advisory tools that allow you to draft and publish comprehensive documentation on the nature of the threat.
 

learn-pr/github/manage-sensitive-data-security-policies/includes/3-scrub-sensitive-data-from-repository.md

@@ -36,7 +36,7 @@ To create a ruleset:
 
 :::image type="content" source="../media/new-branch-ruleset.png" alt-text="Create a new branch ruleset page from the left hand navigation bar.":::
 
-When creating a ruleset you can grant bypass permissions, choose which branches or tags to target, and select the rules to include.
+When creating a ruleset, you can grant bypass permissions, choose which branches or tags to target, and select the rules to include.
 
 ## Manage a ruleset
 
@@ -66,7 +66,7 @@ A ruleset doesn't have a priority. Instead, if multiple rulesets target the same
 For example, consider the following situation for the `my-feature` branch of the `octo-org/octo-repo` repository:
 
 - A repository administrator has set up a ruleset targeting the `my-feature` branch. This ruleset requires signed commits, and three reviews on pull requests before they can be merged.
-- An existing branch protection rule for the `my-feature` branch requires a linear commit history, and two reviews on pull requests before they can be merged.
+- An existing branch protection rule for the `my-feature` branch requires a linear commit history and two reviews on pull requests before they can be merged.
 
 The rules from each source are aggregated, and all rules apply. Where multiple different versions of the same rule exist, the result is that the most restrictive version of the rule applies. Therefore, the `my-feature` branch requires signed commits and a linear commit history, and pull requests targeting the branch will require three reviews before they can be merged.
 

learn-pr/github/manage-sensitive-data-security-policies/includes/4-report-log.md

@@ -6,13 +6,13 @@ Here you'll learn what your organization's audit log records, and how to access
 
 ## What are log records?
 
-Your organization's log records actions taken by organization members. The log is available to organization owners, and records information about actions that affect the organization including:
+Your organization's log records actions taken by organization members. The log is available to organization owners, and records information about actions that affect the organization, including:
 
 - The repository in which the action was performed.
 - The user that performed the action.
 - The action that was performed.
 - Which country/region in which the action took place.
-- The date and time of the action.
+- The action date and time.
 
 You can access the audit log through GitHub.com, GitHub Enterprise Server, or GitHub AE to review actions from the past 90 days. However, interacting with the audit log using either the GraphQL API or the Rest API can allow easy retrieval of specific information types, with other limitations.