diff --git a/content/code-security/securing-your-organization/troubleshooting-security-configurations/a-repository-is-using-advanced-setup-for-code-scanning.md b/content/code-security/securing-your-organization/troubleshooting-security-configurations/a-repository-is-using-advanced-setup-for-code-scanning.md index e13f13f0b2c1..1a8117262ac0 100644 --- a/content/code-security/securing-your-organization/troubleshooting-security-configurations/a-repository-is-using-advanced-setup-for-code-scanning.md +++ b/content/code-security/securing-your-organization/troubleshooting-security-configurations/a-repository-is-using-advanced-setup-for-code-scanning.md @@ -15,7 +15,9 @@ topics: ## About the problem -You cannot successfully apply a {% data variables.product.prodname_security_configuration %} with {% data variables.product.prodname_code_scanning %} default setup set to "Enabled" to a target repository that uses advanced setup for {% data variables.product.prodname_code_scanning %}. Advanced setups are tailored to the specific security needs of their repositories, so they are not intended to be overridden at scale. +You cannot successfully apply a {% data variables.product.prodname_security_configuration %} with {% data variables.product.prodname_code_scanning %} default setup set to "Enabled" to a target repository that has an active configuration of advanced setup for {% data variables.product.prodname_code_scanning %}. Advanced setups are tailored to the specific security needs of the repositories they are applied to, so they are not intended to be overridden at scale. + +### Active advanced setup If you try to attach a {% data variables.product.prodname_security_configuration %} with {% data variables.product.prodname_code_scanning %} set to "Enabled" to a repository that already uses advanced setup, security settings will be applied as follows: @@ -23,13 +25,11 @@ If you try to attach a {% data variables.product.prodname_security_configuration * **All other security features enabled in the configuration will be enabled.** * **The {% data variables.product.prodname_security_configuration %} will not be attached** to the repository, since only some features from the configuration are enabled. -For all repositories without an active advanced setup, the {% data variables.product.prodname_security_configuration %} will be applied as expected, and {% data variables.product.prodname_code_scanning %} default setup will be enabled. +### Inactive or absent advanced setup + +{% data reusables.code-scanning.inactive-advanced-setup %} -> [!NOTE] -> If advanced setup is considered inactive for a repository, default setup _will_ still be enabled for that repository. Advanced setup is considered inactive for a repository if the repository meets any of the following criteria: -> * The latest {% data variables.product.prodname_codeql %} analysis is more than 90 days old -> * All {% data variables.product.prodname_codeql %} configurations have been deleted -> * The workflow file has been deleted or disabled (exclusively for YAML-based advanced setup) +If there is no advanced setup or the advanced setup is inactive, then default setup is enabled and the {% data variables.product.prodname_security_configuration %} applied as expected. ## Solving the problem diff --git a/content/code-security/securing-your-organization/troubleshooting-security-configurations/index.md b/content/code-security/securing-your-organization/troubleshooting-security-configurations/index.md index 7577474bafb6..76de4e969f01 100644 --- a/content/code-security/securing-your-organization/troubleshooting-security-configurations/index.md +++ b/content/code-security/securing-your-organization/troubleshooting-security-configurations/index.md @@ -1,6 +1,6 @@ --- title: Troubleshooting security configurations -shortTitle: Troubleshooting configurations +shortTitle: Troubleshoot configurations intro: 'To successfully apply a {% data variables.product.prodname_security_configuration %}, you may need to troubleshoot unexpected issues.' versions: feature: security-configurations @@ -11,6 +11,7 @@ topics: - Security children: - /a-repository-is-using-advanced-setup-for-code-scanning + - /unexpected-default-setup - /not-enough-github-advanced-security-licenses - /feature-disappears --- diff --git a/content/code-security/securing-your-organization/troubleshooting-security-configurations/unexpected-default-setup.md b/content/code-security/securing-your-organization/troubleshooting-security-configurations/unexpected-default-setup.md new file mode 100644 index 000000000000..27a22e4c501d --- /dev/null +++ b/content/code-security/securing-your-organization/troubleshooting-security-configurations/unexpected-default-setup.md @@ -0,0 +1,33 @@ +--- +title: Default setup for code scanning overrides advanced setup +shortTitle: Unexpected default setup +intro: 'You apply a {% data variables.product.prodname_security_configuration %} with "Enabled with advanced setup allowed" and the existing advanced setup for {% data variables.product.prodname_code_scanning %} is ignored in some repositories.' +permissions: '{% data reusables.permissions.security-org-enable %}' +versions: + feature: security-configurations +topics: + - Code Security + - Organizations + - Security +--- + +## About the problem + +When you apply a {% data variables.product.prodname_security_configuration %} and {% data variables.product.prodname_code_scanning %} is defined as "Enabled with advanced setup allowed", each repository is checked to see if there is an existing, active, advanced setup. + +* **No change to {% data variables.product.prodname_code_scanning %}** if an **active** advanced setup configuration is detected. +* **Default setup is enabled** for repositories where advanced setup is **inactive or absent**. + +### Inactive or absent advanced setup + +{% data reusables.code-scanning.inactive-advanced-setup %} + +## Solving the problem + +This solution has two parts: + +1. Any repositories where default setup for {% data variables.product.prodname_code_scanning %} was unexpectedly applied need to run {% data variables.product.prodname_codeql %} analysis at intervals of less than 90 days, for example, once a month. + + Even if the repository is not under active development, new vulnerabilities may be identified by updates to {% data variables.product.prodname_codeql %} analysis. + +1. Once the affected repositories all have {% data variables.product.prodname_codeql %} analysis running, you can reapply the {% data variables.product.prodname_security_configuration %}. diff --git a/data/reusables/code-scanning/enable-default-setup-allow-advanced-setup-note.md b/data/reusables/code-scanning/enable-default-setup-allow-advanced-setup-note.md index a38a139593d8..5e71f2dbcad1 100644 --- a/data/reusables/code-scanning/enable-default-setup-allow-advanced-setup-note.md +++ b/data/reusables/code-scanning/enable-default-setup-allow-advanced-setup-note.md @@ -1,3 +1,2 @@ > [!NOTE] -> To create a configuration that you can apply to a repository that uses advanced setup for {% data variables.product.prodname_codeql %}, choose "Enabled with advanced setup allowed". This setting enables default setup in repositories where advanced setup for {% data variables.product.prodname_codeql %} is not detected. -> _Option available from {% data variables.product.prodname_ghe_server %} 3.19._ +> To create a configuration that you can apply to all repositories regardless of current {% data variables.product.prodname_code_scanning %} setup, choose "Enabled with advanced setup allowed". This setting enables default setup only in repositories where {% data variables.product.prodname_codeql %} analysis is not actively run. _Option available from {% data variables.product.prodname_ghe_server %} 3.19._ diff --git a/data/reusables/code-scanning/inactive-advanced-setup.md b/data/reusables/code-scanning/inactive-advanced-setup.md new file mode 100644 index 000000000000..2be919da233c --- /dev/null +++ b/data/reusables/code-scanning/inactive-advanced-setup.md @@ -0,0 +1,5 @@ +Advanced setup is considered **inactive** for a repository if the repository meets any of the following criteria: + +* The latest {% data variables.product.prodname_codeql %} analysis is more than 90 days old. +* All {% data variables.product.prodname_codeql %} configurations have been deleted. +* The workflow file has been deleted or disabled (exclusively for advanced setup run using actions).