Repo sync

content/contributing/style-guide-and-content-model/style-guide.md

@@ -810,6 +810,19 @@ If multiple roles or products apply to a permission statement or product callout
 
 You can use inline links to provide more information about a role or product. The linked text must match the link destination so that it is clear where following the link will lead to.
 
+## Parenthetical dashes
+
+We use em dashes for parenthetical statements in normal body text. This doesn’t apply to text within code blocks.
+
+Examples:
+
+* ✅ Correct: "The cat—which sat on a branch—smiled with a broad grin." (em dash without spaces)
+* ❌ Incorrect: "The cat — which sat on a branch — smiled with a broad grin." (em dash with spaces)
+* ❌ Incorrect: "The cat–which sat on a branch–smiled with a broad grin." (en dash without spaces)
+* ❌ Incorrect: "The cat – which sat on a branch – smiled with a broad grin." (en dash with spaces)
+* ❌ Incorrect: "The cat-which sat on a branch-smiled with a broad grin." (hyphen without spaces)
+* ❌ Incorrect: "The cat - which sat on a branch - smiled with a broad grin." (hyphen with spaces)
+
 ## Placeholders
 
 Style any placeholder text in all caps. If a placeholder is multiple words, connect the words with dashes (kebab-case). If you use a placeholder, explain what someone might replace it with. This helps people modify examples to fit their needs and helps identify placeholders for people who use assistive technology.

content/copilot/tutorials/copilot-chat-cookbook/security-analysis/index.md

@@ -9,6 +9,8 @@ versions:
 topics:
   - Copilot
 children:
+  - /securing-your-repository
+  - /managing-dependency-updates
   - /finding-existing-vulnerabilities-in-code
 ---
 

content/copilot/tutorials/copilot-chat-cookbook/security-analysis/managing-dependency-updates.md

@@ -0,0 +1,143 @@
+---
+title: Managing dependency updates
+shortTitle: Manage dependency updates
+intro: '{% data variables.copilot.copilot_chat_short %} can help you get set up with {% data variables.product.prodname_dependabot %} to streamline dependency updates.'
+versions:
+  feature: copilot
+category:
+  - 'Security analysis'
+complexity:
+  - Simple
+octicon: code
+topics:
+  - Copilot
+---
+
+## Automate dependency updates
+
+### Example scenario
+
+Let's say your project depends on numerous libraries and packages. Vulnerable or outdated dependencies create security risks that can affect your project and others that rely on it.
+
+{% data variables.copilot.copilot_chat_short %} can help you get set up with {% data variables.product.prodname_dependabot %} security and version updates, so that your dependencies always remain on the most secure, and up-to-date versions. See [AUTOTITLE](/code-security/dependabot/dependabot-security-updates/about-dependabot-security-updates) and [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/about-dependabot-version-updates).
+
+Before you begin, ensure that {% data variables.product.prodname_dependabot %} is fully enabled under your repository's "Settings."
+1. Under your "Code security" settings, ensure **{% data variables.product.prodname_dependabot_alerts %}** and **{% data variables.product.prodname_dependabot_security_updates %}** are both set to "Enabled."
+1. Create and commit an empty `.github/dependabot.yml` file to the repository.
+
+### Example prompt
+
+Make sure your repository is attached to the prompt for context.
+
+`Analyze the codebase and project structure of this repository. Detect all package managers and package ecosystems in use, including their respective locations (e.g., npm, yarn, pip, maven, gradle, composer, github-actions, etc.).`
+
+`For each detected ecosystem, create a configuration entry in a single, top-level .github/dependabot.yml file that enables security and version updates on a reasonable schedule. Use the recommended best practices for each ecosystem. Clearly specify the directory for each ecosystem detected. If multiple ecosystems or multiple directories are present, include them all in the configuration.`
+
+`In the output, include any notes on the configuration or best practices, as well as next steps that include how to commit the dependabot.yml file to the repository via the GitHub web browser and how to check that Dependabot version updates and Dependabot security updates are enabled.`
+
+### Example output
+
+{% data variables.copilot.copilot_chat_short %} analyzes your repository and writes the contents of the `dependabot.yml` configuration file for you, which tells {% data variables.product.prodname_dependabot %} which dependencies it needs to scan for.
+
+```yaml
+version: 2
+updates:
+  # Python (pip)
+  - package-ecosystem: "pip"
+    directory: "/"                     # Location of requirements.txt
+    schedule:
+      interval: "weekly"               # Weekly updates are a good balance for libraries
+      day: "sunday"
+      time: "06:00"
+      timezone: "UTC"
+    open-pull-requests-limit: 5
+    allow:
+      - dependency-type: "all"
+    commit-message:
+      prefix: "pip"
+    labels:
+      - "dependencies"
+      - "python"
+    ignore:
+      - dependency-name: "pip"         # Ignore pip self-updates
+
+  # GitHub Actions
+  - package-ecosystem: "github-actions"
+    directory: "/"                     # Looks for workflow files under .github/workflows/
+    schedule:
+      interval: "weekly"
+      day: "sunday"
+      time: "06:00"
+      timezone: "UTC"
+    open-pull-requests-limit: 5
+    commit-message:
+      prefix: "actions"
+    labels:
+      - "dependencies"
+      - "github-actions"
+```
+
+Once you've committed the `dependabot.yml` file to your repository, {% data variables.product.prodname_dependabot %} will begin to open pull requests against your repository, whenever a vulnerable or outdated dependency is detected.
+
+## Customize dependency management
+
+### Example scenario
+
+### Example scenario
+
+Let's say your team has been using the basic {% data variables.product.prodname_dependabot %} configuration for a few months, and you're getting lots of dependency update pull requests. However, you're finding that:
+
+* Pull requests are sitting un-reviewed because no one is automatically assigned.
+* You want pull requests to be automatically added to your team's project board via a label.
+* Your CI is getting overwhelmed with too many concurrent dependency pull requests.
+* You're getting updates for development dependencies that don't affect production.
+
+You want to customize your {% data variables.product.prodname_dependabot %} configuration to better fit your team's workflow, such as automatically assigning pull requests to the right team members, adding labels to add pull requests to project board, limiting the number of open pull requests, and focusing only on production dependencies.
+
+{% data variables.copilot.copilot_chat_short %} can write an updated `dependabot.yml` that better suits your team's needs.
+
+### Example prompt
+
+`I want to customize my pull requests for Dependabot security and version updates, so that:`
+
+`* Pull requests are automatically assigned to the team "octocat-reviewers."`
+
+`* The label "security-management" is automatically added to every pull request.`
+
+`* The number of open Dependabot PRs is limited.`
+
+`* Development dependencies are ignored.`
+
+`Draft an update to the dependabot.yml file in my repository that specifies these customization options.`
+
+> [!TIP]
+> * There are many customization options to explore. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-security-updates/customizing-dependabot-security-prs) and [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/customizing-dependabot-prs).
+> * You can specify different customizations per package ecosystem.
+
+### Example output
+
+```yaml
+version: 2
+updates:
+  # Python (pip)
+  - package-ecosystem: "pip"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+      day: "sunday"
+      time: "06:00"
+      timezone: "UTC"
+    open-pull-requests-limit: 5
+    allow:
+      - dependency-type: "production"     # Ignore development dependencies
+    assignees:
+      - "octocat-reviewers"               # Assign PRs to the team
+    labels:
+      - "dependencies"
+      - "security-management"             # Custom label for all PRs
+      - "python"
+    commit-message:
+      prefix: "pip"
+    ignore:
+      - dependency-name: "pip"
+```  

content/copilot/tutorials/copilot-chat-cookbook/security-analysis/securing-your-repository.md

@@ -0,0 +1,126 @@
+---
+title: Securing your repository
+shortTitle: Secure your repository
+intro: '{% data variables.copilot.copilot_chat_short %} can help you to secure your repository and your code.'
+versions:
+  feature: copilot
+category:
+  - 'Security analysis'
+complexity:
+  - Simple
+octicon: code
+topics:
+  - Copilot
+---
+
+## Configure essential security features
+
+### Example scenario
+
+Let's say you recently created a repository for a new web application, you want to secure it and you don't know where to start.
+
+{% data variables.copilot.copilot_chat_short %} can walk you through configuring the most essential security features to ensure your repository remains secure.
+
+### Example prompt
+
+`Provide step-by-step instructions on how to enable the following essential security features in my GitHub repository:`
+
+`* Secret scanning`
+
+`* Push protection`
+
+`* Dependabot alerts`
+
+`* Dependabot security updates`
+
+`* Branch protection rules, including enforced code reviews before merging`
+
+`Explain why each feature is important and how it helps secure my repository.`
+
+### Example response
+
+{% data variables.copilot.copilot_chat_short %} provides information on each security feature and explains how to enable it.
+
+```markdown
+Why it's important:
+
+Secret scanning automatically detects accidentally committed secrets (API keys, credentials, etc.) in your repository.
+
+How it helps:
+
+Leaked secrets can allow attackers to access systems, steal data, or cause other harm. Early detection prevents misuse.
+
+How to Enable:
+
+1. Go to your repository on {% data variables.product.github %}.
+1. Click on Settings.
+1. In the left sidebar, click Code security.
+1. Scroll to Secret scanning.
+1. Ensure "Secret scanning" and "Push protection" are both enabled.
+1. If not, click Enable.
+```
+
+## Encourage secure contributions and best practices with a security policy
+
+### Example scenario
+
+Let's say you want to share your project publicly, and want to set out a clear security policy to guide users on how to safely report vulnerabilities found in your repository.
+
+{% data variables.copilot.copilot_chat_short %} can write a security policy for your repository.
+
+### Example prompt
+
+`Write a GitHub security policy (SECURITY.md) for my repository. The policy should include:`
+
+`* A clear description of how users can report security vulnerabilities.`
+
+`* A response timeline for security issues.`
+
+`* Guidelines for responsible disclosure.`
+
+`* Supported versions of the software.`
+
+`Format it as a well-structured Markdown document.`
+
+### Example output
+
+{% data variables.copilot.copilot_chat_short %} produces a `SECURITY.md` file that you can commit to your repository.
+
+```markdown
+# Security Policy
+
+Thank you for helping to keep this project and its users secure! This document outlines the security policy and responsible disclosure guidelines for this repository.
+
+## Reporting a Vulnerability
+
+If you discover a security vulnerability, please report it by emailing **[email protected]** or by using the GitHub [security advisories](https://github.com/octocat/octocat-repo/security/advisories) feature.  
+**Do not** report security vulnerabilities via public GitHub issues or pull requests.
+
+When reporting a vulnerability, please include as much information as possible to help us understand and reproduce the issue:
+- A clear description of the vulnerability.
+- Steps to reproduce the issue.
+- Any relevant logs, screenshots, or proof-of-concept code.
+- Your assessment of the potential impact.
+
+## Response Timeline
+
+We take security issues seriously and will respond according to the following guidelines:
+- **Acknowledgment:** We will acknowledge receipt of your report within **3 business days**.
+- **Investigation:** We will investigate and assess the report as quickly as possible, usually within **7 business days**.
+- **Resolution:** Once a fix is identified, we will work to release a security update promptly. We will coordinate with you as needed, especially if you are the reporter.
+- **Disclosure:** We will notify the community of the vulnerability and fix via a GitHub security advisory, and credit the reporter as appropriate.
+
+## Responsible Disclosure Guidelines
+
+To protect users of this project, we ask that you:
+- Avoid public disclosure of the vulnerability until it has been investigated and patched.
+- Allow us a reasonable amount of time to resolve the issue before any public disclosure.
+- Provide relevant details privately (see "Reporting a Vulnerability" above).
+- Act in good faith and avoid exploiting the vulnerability beyond what is necessary for your report.
+
+We are committed to working with security researchers and the community to ensure a safe and secure software ecosystem.
+```
+
+## Further reading
+
+{% data reusables.copilot.example-prompts.further-reading-items %}

content/rest/orgs/attestations.md

@@ -1,7 +1,7 @@
 ---
-title: TODOCS
-shortTitle: TODOCS
-intro: TODOCS
+title: REST API endpoints for artifact attestations
+shortTitle: Artifact attestations
+intro: Use the REST API to interact with artifact attestations.
 versions: # DO NOT MANUALLY EDIT. CHANGES WILL BE OVERWRITTEN BY A 🤖
   fpt: '*'
   ghec: '*'

data/reusables/gated-features/security-features-basic.md

@@ -0,0 +1,5 @@
+The availability of security features mentioned in this article varies:
+
+* {% data variables.product.prodname_dependabot %} is available for all repository types.
+* {% data variables.product.prodname_secret_scanning_caps %} and push protection are available for public repositories, or private repositories with [{% data variables.product.prodname_GH_secret_protection %}](/get-started/learning-about-github/about-github-advanced-security) enabled.
+* Branch protection rules are available for public repositories, or private repositories on a {% data variables.product.prodname_pro %}, {% data variables.product.prodname_team %}, {% data variables.product.prodname_ghe_cloud %}, and {% data variables.product.prodname_ghe_server %} plan.