github
diff --git a/‎assets/images/help/security/security-campaigns-tracking-overview-2tabs.png‎
309 KB b/‎assets/images/help/security/security-campaigns-tracking-overview-2tabs.png‎
309 KB
diff --git a/‎assets/images/help/security/security-campaigns-tracking-overview-code-only.png‎
284 KB b/‎assets/images/help/security/security-campaigns-tracking-overview-code-only.png‎
284 KB
diff --git a/‎content/code-security/code-scanning/managing-code-scanning-alerts/assessing-code-scanning-alerts-for-your-repository.md‎
Lines changed: 1 addition & 0 deletions b/‎content/code-security/code-scanning/managing-code-scanning-alerts/assessing-code-scanning-alerts-for-your-repository.md‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎content/code-security/code-scanning/managing-code-scanning-alerts/best-practices-for-participating-in-a-security-campaign.md‎
Lines changed: 6 additions & 4 deletions b/‎content/code-security/code-scanning/managing-code-scanning-alerts/best-practices-for-participating-in-a-security-campaign.md‎
Lines changed: 6 additions & 4 deletions
diff --git a/‎content/code-security/secret-scanning/managing-alerts-from-secret-scanning/viewing-alerts.md‎
Lines changed: 1 addition & 0 deletions b/‎content/code-security/secret-scanning/managing-alerts-from-secret-scanning/viewing-alerts.md‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎content/code-security/securing-your-organization/fixing-security-alerts-at-scale/about-security-campaigns.md‎
Lines changed: 46 additions & 4 deletions b/‎content/code-security/securing-your-organization/fixing-security-alerts-at-scale/about-security-campaigns.md‎
Lines changed: 46 additions & 4 deletions
diff --git a/‎content/code-security/securing-your-organization/fixing-security-alerts-at-scale/best-practice-fix-alerts-at-scale.md‎
Lines changed: 34 additions & 13 deletions b/‎content/code-security/securing-your-organization/fixing-security-alerts-at-scale/best-practice-fix-alerts-at-scale.md‎
Lines changed: 34 additions & 13 deletions
@@ -37,6 +37,7 @@ By default, the {% data variables.product.prodname_code_scanning %} alerts page
    ![Screenshot of a {% data variables.product.prodname_code_scanning %} alert. The "Show paths" and "Show more" links are outlined in dark orange.](/assets/images/help/repository/code-scanning-alert-details.png)
 
 1. Alerts from {% data variables.product.prodname_codeql %} analysis include a description of the problem. Click **Show more** for guidance on how to fix your code.
+{% data reusables.security.alert-assignee-step %}
 
 For more information, see [AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/about-code-scanning-alerts).
 
 
@@ -1,7 +1,7 @@
 ---
-title: Best practices for participating in a security campaign
+title: Best practices for participating in a code security campaign
 shortTitle: Best practices for campaigns
-intro: 'Learn how you can successfully take part in a security campaign and how it can benefit your career as well as your code.'
+intro: 'Learn how you can successfully take part in a security campaign for {% data variables.product.prodname_code_scanning %} alerts and how it can benefit your career as well as your code.'
 allowTitleToDifferFromFilename: true
 permissions: '{% data reusables.permissions.code-scanning-all-alerts %}'
 product: '{% data reusables.gated-features.security-campaigns %}'
@@ -15,9 +15,9 @@ topics:
   - Repositories
 ---
 
-## What is a security campaign
+## What is a code security campaign
 
-A security campaign is a group of security alerts, detected in the default branches of repositories, chosen by an organization owner or security manager for remediation.
+A security campaign is a group of {% data variables.product.prodname_code_scanning %} alerts, detected in the default branches of repositories, chosen by an organization owner or security manager for remediation.
 
 You can take part in a security campaign by fixing one or more of the alerts included in the campaign.
 
@@ -40,6 +40,8 @@ Adopting a few key best practices can help you participate successfully in a cam
 
 You'll automatically receive email updates about security campaigns for any repositories you have **write** access to, so you can stay informed about relevant updates.
 
+{% data reusables.security.alert-assignee-mention %}
+
 ### View campaign details
 
 When you open the **Security** tab for a repository with one or more campaign alerts, you can see the campaign name in the sidebar of the view. Click the campaign name to see the list of alerts included in the campaign and summary information on how the campaign is progressing.
 
@@ -95,6 +95,7 @@ Alerts for {% data variables.product.prodname_secret_scanning %} are displayed u
    > {% data reusables.secret-scanning.secret-scanning-user-owned-repo-access %}
 
    {% endif %}
+{% data reusables.security.alert-assignee-step %}
 
 ## Filtering alerts
 
 
@@ -5,38 +5,80 @@ intro: 'You can fix security alerts at scale by creating security campaigns and
 product: '{% data reusables.gated-features.security-campaigns %}'
 allowTitleToDifferFromFilename: true
 type: overview
+audience:
+  - driver
+contentType: concepts
 versions:
   feature: security-campaigns
 topics:
   - Code Security
+  - Secret Protection
   - Organizations
   - Security
 ---
 
-Once you have identified security alerts in the default branches of your repositories, the next step is to identify the most urgent alerts and get them fixed. Security campaigns are a way to group alerts and share them with developers, so you can collaborate to remediate vulnerabilities in the code.
+Once you have identified security alerts the next step is to identify the most urgent alerts and get them fixed. Security campaigns are a way to group alerts and share them with developers, so you can collaborate to remediate vulnerabilities in the code{% ifversion security-campaigns-secrets %} and any exposed secrets{% endif %}.
 
 ## Security campaigns in your day-to-day work
 
 You can use security campaigns to support many of your aims as a security leader.
 
 * Improving the security posture of the company by leading work to remediate alerts.
-* Reinforcing security training for developers by creating a campaign of related alerts to fix collaboratively.
+* Reinforcing security training for developers by creating a campaign of related, {% data variables.product.prodname_code_scanning %} alerts to fix collaboratively.{% ifversion security-campaigns-secrets %}
+* Ensuring that {% data variables.product.prodname_secret_scanning %} alerts are resolved within your remediation target.{% endif %}
 * Building collaborative relationships between the security team and developers to promote shared ownership of security alerts.
 * Providing clarity to developers on the most urgent alerts to fix and monitoring alert remediation.
 
 ## Benefits of using security campaigns
 
 A security campaign has many benefits over other ways of encouraging developers to remediate security alerts. In particular,
 
-* Developers are notified about any security campaigns taking place in repositories they work in or subscribe to by email.
+* Developers are notified about any security campaigns that they can contribute to.
 * Developers can see the alerts you've highlighted for remediation without leaving their normal workflows.
 * Each campaign has a named point of contact for questions, reviews, and collaboration.  {% ifversion security-campaigns-autofix %}
-* {% data variables.copilot.copilot_autofix %} is automatically triggered to suggest a resolution for each security alert. {% endif %}
+* For {% data variables.product.prodname_code_scanning %} alerts, {% data variables.copilot.copilot_autofix %} is automatically triggered to suggest a resolution. {% endif %}
 
 You can use one of the templates to select a group of closely related alerts for a campaign. This allows developers to build on the knowledge gained by resolving one alert and use it to fix several more, providing them with an incentive to fix multiple alerts.
 
 {% data reusables.code-scanning.campaigns-api %}
 
+{% ifversion security-campaigns-secrets %}
+
+## Differences between code and secret campaigns
+
+{% data reusables.security.secrets-campaign-preview %}
+
+The creation workflow is the same for all campaigns, but you will notice a few differences in progress tracking and developer experience.
+
+{% rowheaders %}
+
+| Property | Code | Secret |
+|--|--|--|
+| Alerts available for inclusion | {% octicon "check" aria-label="Supported" %} Default branch only | {% octicon "check" aria-label="Supported" %}
+| Repository tracking issues | {% octicon "check" aria-label="Supported" %} | {% octicon "x" aria-label="Not supported" %} |
+| Developer notifications | {% octicon "check" aria-label="Supported" %} Requires write access to repository | {% octicon "check" aria-label="Supported" %} Requires view access to alerts list |
+| {% ifversion code-secret-alert-assignees %} |
+| Alert assignment | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} May raise permissions |
+| {% endif %} |
+| Automatic remediation support | {% octicon "check" aria-label="Supported" %} {% data variables.copilot.copilot_autofix %} | {% octicon "x" aria-label="Not supported" %} |
+
+{% endrowheaders %}
+
+{% endif %}
+
+{% ifversion code-secret-alert-assignees %}
+
+### Assigning alerts
+
+>[!NOTE]
+> The option to assign {% data variables.product.prodname_code_scanning %} and {% data variables.product.prodname_secret_scanning %} alerts to users is currently in public preview and is subject to change.
+
+You can assign a {% data variables.product.prodname_code_scanning %} or {% data variables.product.prodname_secret_scanning %} alert to any user who has **write** access for the repository.
+
+If the assignee for a {% data variables.product.prodname_secret_scanning %} alert **cannot view the alert list**, their permissions are temporarily raised for that alert. Any additional permissions are revoked when they are unassigned from the alert.
+
+{% endif %}
+
 ## Next steps
 
 * [AUTOTITLE](/code-security/securing-your-organization/fixing-security-alerts-at-scale/best-practice-fix-alerts-at-scale)
 
@@ -5,10 +5,14 @@ intro: 'Guidance on how to create successful security campaigns that engage deve
 allowTitleToDifferFromFilename: true
 product: '{% data reusables.gated-features.security-campaigns %}'
 type: reference
+audience:
+  - driver
+contentType: tutorials
 versions:
   feature: security-campaigns
 topics:
   - Code Security
+  - Secret Protection
   - Organizations
   - Security
 ---
@@ -17,30 +21,47 @@ topics:
 
 Successful security campaigns to fix alerts at scale have many features in common, including:
 
-* Selecting a related group of security alerts for remediation.
-* Using {% data variables.copilot.copilot_autofix_short %} suggestions where possible to help developers remediate alerts faster and more effectively.
+* Selecting a related group of security alerts for remediation.{% ifversion security-campaigns-autofix %}
+* For code campaigns, using {% data variables.copilot.copilot_autofix_short %} suggestions where possible to help developers remediate alerts faster and more effectively.{% endif %}
 * Making sure that the campaign managers are available for collaboration, reviews, and questions about fixes.
-* Providing access to educational information about the type of alerts included in the campaign.{% ifversion ghec %}
-* Making {% data variables.copilot.copilot_chat %} available for developers to use to learn about the vulnerabilities highlighted by the security alerts in the campaign. {% endif %}
+* Providing access to educational information about the type of alerts included in the campaign.
+* Making {% data variables.copilot.copilot_chat %} available for developers to use to learn about the vulnerabilities highlighted by the security alerts in the campaign.
 * Defining a realistic deadline for campaign, bearing in mind the number of alerts you aim to fix.
 * Publicizing the collaboration to developer teams and identifying the best way to engage them for your organization.
 
 For information about the developer experience, see [AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/fixing-alerts-in-security-campaign).
 
 ## Selecting security alerts for remediation
 
-Your first thought may be to identify all the most urgent alerts and create a security campaign to fix them. If your developers already have a good understanding of secure coding and are keen to remediate potential vulnerabilities, this could be a successful approach for your company. However, if you need to build up knowledge of secure coding and common vulnerabilities, you will benefit from a more strategic approach.
+Your first thought may be to identify all the most urgent alerts and create a security campaign to fix them. If your developers already have a good understanding of secure coding and are keen to remediate potential vulnerabilities, this could be a successful approach for your company. However, if you need to build up knowledge of secure coding{% ifversion security-campaigns-secrets %}, exposed secrets,{% endif %} and common vulnerabilities, you will benefit from a more strategic approach.
 
-For example, if you have many alerts for cross-site scripting vulnerabilities, you could:
+{% ifversion security-campaigns-secrets %}
 
-* Create educational content for developers in a repository using resources from the OWASP Foundation, see [Cross Site Scripting (XSS)](https://owasp.org/www-community/attacks/xss/).
-* Create a campaign to remediate all alerts for this vulnerability, including a link to the educational content in the campaign description.
+### Example approach for a code campaign
+
+{% endif %}
+
+For a campaign to raise awareness and fix cross-site scripting vulnerabilities, you could:
+
+* Create educational content for developers in a repository using resources from the OWASP Foundation, see [Cross Site Scripting (XSS)](https://owasp.org/www-community/attacks/xss/).{% ifversion security-campaigns-autofix %}
+* Create a campaign to remediate all alerts for this vulnerability where {% data variables.copilot.copilot_autofix_short %} is supported, using the `autofix:supported` filter.{% endif %}
+* Include a link to the educational content in the campaign description.
 * Hold a training session or other event to highlight this opportunity to gain confidence in secure coding while fixing real bugs.
 * Make sure that the security team members assigned to manage the campaign are available to review the pull requests created to fix the campaign alerts, collaborating as needed.
 
-### Using {% data variables.copilot.copilot_autofix_short %} to help remediate security alerts
+{% ifversion security-campaigns-secrets %}
+
+### Example approach for a secrets campaign
 
-{% data variables.copilot.copilot_autofix %} is an expansion of {% data variables.product.prodname_code_scanning %} that provides users with targeted recommendations to help fix {% data variables.product.prodname_code_scanning %} alerts. When you select alerts to include in a security campaign, you can preferentially include alerts that are eligible to be fixed with the help of {% data variables.copilot.copilot_autofix %} using the `autofix:supported` filter.
+{% data reusables.security.secrets-campaign-preview %}
+
+For a campaign to raise awareness and fix exposed passwords, you could:
+
+* Create educational content for developers about storing passwords securely, for example, as {% data variables.product.github %} secrets, see [AUTOTITLE](/code-security/getting-started/understanding-github-secret-types).
+* Create a campaign to remediate all alerts for exposed passwords, including a link to the educational content in the campaign description.
+* Make sure that the security team members assigned to manage the campaign are available to ensure secrets are revoked and rotated acceptably, collaborating as needed.
+
+{% endif %}
 
 ### Campaign filter templates
 
@@ -83,11 +104,11 @@ The OWASP Foundation provides many resources for learning about the most common
 
 {% ifversion security-campaigns-autofix %}
 
-## Providing AI support for learning about security vulnerabilities
+## Providing AI support for learning about code vulnerabilities
 
-{% data variables.copilot.copilot_autofix %} is automatically triggered to suggest a resolution for each security alert. However, developers will often want more information about why the original code is insecure and how to test that the fix is correct and doesn't break other components.
+{% data variables.copilot.copilot_autofix %} is automatically triggered to suggest a resolution for each {% data variables.product.prodname_code_scanning %} alert. However, developers will often want more information about why the original code is insecure and how to test that the fix is correct and doesn't break other components.
 
-{% data variables.product.prodname_copilot %} is an important tool for developers who have questions about secure coding, how to fix security alerts, and test their fix. Check that all developers in your organization have access to {% data variables.product.prodname_copilot_short %} in both their IDE and {% data variables.product.github %}, see [AUTOTITLE](/copilot/managing-copilot/managing-github-copilot-in-your-organization/managing-access-to-github-copilot-in-your-organization/granting-access-to-copilot-for-members-of-your-organization).
+{% data variables.product.prodname_copilot %} chat is an important tool for developers who have questions about secure coding, how to fix security alerts, and test their fix. Check that all developers in your organization have access to {% data variables.product.prodname_copilot_short %} in both their IDE and {% data variables.product.github %}, see [AUTOTITLE](/copilot/how-tos/administer-copilot/manage-for-organization/manage-access/grant-access).
 
 {% endif %}