Repo sync

content/code-security/securing-your-organization/understanding-your-organizations-exposure-to-leaked-secrets/calculating-the-cost-savings-of-push-protection.md

@@ -0,0 +1,88 @@
+---
+title: Calculating the cost savings of push protection
+shortTitle: Push protection cost savings
+intro: Learn how to use the {% data variables.secret-scanning.roi-calculator %} to estimate the remediation time and labor costs you'll avoid by preventing leaked secrets.
+product: '{% data reusables.gated-features.secret-risk-assessment-calculators %}'
+versions:
+  feature: secret-risk-assessment
+permissions: '{% data reusables.permissions.push-protection-roi-calculator %}'
+topics:
+  - Secret scanning
+  - Secret Protection
+contentType: how-tos
+---
+
+## What is the cost savings calculator?
+
+You can use the {% data variables.secret-scanning.roi-calculator %} to estimate the cost avoided by preventing leaked secrets with push protection. This information can help you:
+
+* Determine how widely to enable {% data variables.product.prodname_GH_secret_protection %} in your organization.
+* Compare the estimated impact of push protection in different teams or environments.
+* Communicate time and cost implications of rollout decisions to stakeholders.
+
+Push protection is a paid feature which is available with {% data variables.product.prodname_GH_secret_protection %}. For more information, see [AUTOTITLE](/code-security/securing-your-organization/understanding-your-organizations-exposure-to-leaked-secrets/choosing-github-secret-protection).
+
+## Prerequisites
+
+* You need to have generated a secret risk assessment for your organization. See [AUTOTITLE](/code-security/securing-your-organization/understanding-your-organizations-exposure-to-leaked-secrets/viewing-the-secret-risk-assessment-report-for-your-organization).
+* You have realistic values for:
+  * Average remediation time per leaked secret (hours)
+  * Average annual developer salary (USD)
+
+## Estimating cost savings from push protection
+
+{% data reusables.organizations.navigate-to-org %}
+{% data reusables.organizations.security-overview %}
+{% data reusables.security-overview.open-assessments-view %}
+1. On the top right corner of the banner, click **Get started**.
+1. In the dropdown, select **Estimate push protection savings**.
+1. Review the non-editable value for "Preventable leaks" (P). If 0, a baseline value (such as 70) is shown for modeling purposes.
+1. Enter or adjust the average developer annual compensation (C), in USD.
+   * Use blended fully loaded annual compensation (salary + benefits).
+   * Keep estimates conservative to avoid overstatement.
+1. Enter or adjust the time to remediate each leaked secret (T), in hours. We recommend you use an average remediation time that reflects steps for revoking, rotating, and validating secrets, as well as notifying your teams or customers:
+   * T = 1-1.5 hours for simple rotation, minimal coordination
+   * T = 2-3 hours to account for a distributed team or extra checks
+   * T = 3-4 hours if you work in a regulated / audited environment
+1. Review the outputs from the **Return on investment** panel:
+   * **Secrets prevented**: The number of preventable secrets detected.
+   * **Time saved**: Total hours saved by preventing these secrets, based on your input.
+   * **Potential savings with push protection**: The total estimated labor cost avoided.
+
+{% note %}
+
+Did you successfully use the {% data variables.secret-scanning.roi-calculator %} to estimate the cost savings of using push protection on your organization?
+
+<a href="https://docs.github.io/success-test/yes.html" target="_blank" class="btn btn-outline mt-3 mr-3 no-underline"><span>Yes</span></a>  <a href="https://docs.github.io/success-test/no.html" target="_blank" class="btn btn-outline mt-3 mr-3 no-underline"><span>No</span></a>
+
+{% endnote %}
+
+## Understanding your results
+
+Next, review the results to understand their implications and determine the appropriate scope for rolling out push protection in your organization. Keep the following information in mind as you interpret your results.
+
+The calculator **does**:
+* Estimate savings for **secrets blocked by push protection** only.
+* Base results on your risk assessment and assumptions you provide.
+* Provide estimates based on **labor cost avoidance** only.
+* Provide a modeled baseline for preventable leaks if no secrets were detected in the current scan window.
+
+The calculator does **not**:
+* Include any costs related to data breaches or external impacts. For informational purposes, the cost of a data breach averaged $4.88M in 2024 according to IBM.
+* Include time savings from other {% data variables.product.prodname_GH_secret_protection %} features.
+* Support currencies other than USD.
+
+## Troubleshooting
+
+If you run into problems using the calculator, use the following table to troubleshoot.
+
+| Issue | Action |
+|-------|--------|
+| **Preventable secrets = 0** | When no preventable secrets are detected, the calculator displays a default baseline value (such as 70) for modeling purposes.<br> To replace the baseline with real data, enable push protection on more repositories and allow secret scanning to collect more information. |
+| **Estimated savings shows $5M+** | The calculator is capped at $5M. If your modeled savings exceed this threshold, the value will be displayed as "$5M+" in the UI. To get the precise amount, export your input values (preventable secrets, time to remediate, and developer salary) and replicate the formula in a spreadsheet:</br>`(Secrets prevented) × (Time to remediate) × (Hourly rate)` where hourly rate is calculated as `Salary ÷ 2080`. |
+| **Value seems low** | Review your inputs for time to remediate and average developer compensation. Ensure you have included all steps involved in remediation (such as revoke, rotate, validate, and notify) and that the salary reflects a fully loaded annual cost. |
+| **Value seems high** | Double-check your input values for time to remediate and average compensation to make sure they are realistic and not overstated. Remove any outliers that could be skewing the estimate. |
+
+## Further reading
+
+* [Detecting and Preventing Secret Leaks in Code](https://github.com/resources/whitepapers/secret-scanning-a-key-to-your-cybersecurity-strategy) in  {% data variables.product.github %}'s `resources` repository

content/code-security/securing-your-organization/understanding-your-organizations-exposure-to-leaked-secrets/choosing-github-secret-protection.md

@@ -27,6 +27,14 @@ To generate a {% data variables.product.prodname_secret_risk_assessment %} repor
 
 {% data variables.product.prodname_secret_protection %} is billed per active committer to the repositories where it is enabled. It is available to users with a {% data variables.product.prodname_team %} or {% data variables.product.prodname_enterprise %} plan, see [AUTOTITLE](/billing/managing-billing-for-your-products/managing-billing-for-github-advanced-security/about-billing-for-github-advanced-security).
 
+{% ifversion fpt or ghec or ghes > 3.19 %}
+
+{% data variables.product.github %} provides two calculators to help you budget, justify rollout scope, and prioritize which repositories to enable {% data variables.product.prodname_secret_protection %} on first while optimizing license usage. You can estimate:
+* How much you can save by using push protection in repositories in your organization **with the {% data variables.secret-scanning.roi-calculator %}**. See [AUTOTITLE](/code-security/securing-your-organization/understanding-your-organizations-exposure-to-leaked-secrets/calculating-the-cost-savings-of-push-protection).
+* How much {% data variables.product.prodname_secret_protection %} will cost you monthly for repositories in your organization **with the {% data variables.secret-scanning.pricing-calculator %}**. See [AUTOTITLE](/code-security/securing-your-organization/understanding-your-organizations-exposure-to-leaked-secrets/estimating-the-price-of-secret-protection).
+
+{% endif %}
+
 ## Why you should enable {% data variables.product.prodname_secret_protection %} for 100% of your organization's repositories
 
 {% data variables.product.github %} recommends enabling {% data variables.product.prodname_GH_secret_protection %} products for all repositories, in order to protect your organization from the risk of secret leaks and exposures.  {% data variables.product.prodname_GH_secret_protection %} is free to enable for public repositories, and available as a purchasable add-on for private and internal repositories.

content/code-security/securing-your-organization/understanding-your-organizations-exposure-to-leaked-secrets/estimating-the-price-of-secret-protection.md

@@ -0,0 +1,54 @@
+---
+title: Estimating the price of Secret Protection
+shortTitle: Secret protection pricing
+intro: Learn how to use the {% data variables.secret-scanning.pricing-calculator %} to estimate the monthly cost of {% data variables.product.prodname_GH_secret_protection %} for your repositories.
+product: '{% data reusables.gated-features.secret-risk-assessment-calculators %}'
+versions:
+  feature: secret-risk-assessment
+permissions: '{% data reusables.permissions.push-protection-roi-calculator %}'
+topics:
+  - Secret scanning
+  - Secret Protection
+contentType: how-tos
+---
+
+## What is the pricing calculator?
+
+You can use the {% data variables.secret-scanning.pricing-calculator %} on the secret risk assessment page to estimate the monthly cost of {% data variables.product.prodname_GH_secret_protection %} for your organization. This tool allows you to preview costs based on your current repositories and active committers, so you can plan for purchase or rollout decisions.
+
+For more information about {% data variables.product.prodname_secret_protection %}, see [AUTOTITLE](/code-security/securing-your-organization/understanding-your-organizations-exposure-to-leaked-secrets/choosing-github-secret-protection).
+
+## Prerequisites
+
+You need to have generated a secret risk assessment for your organization. See [AUTOTITLE](/code-security/securing-your-organization/understanding-your-organizations-exposure-to-leaked-secrets/viewing-the-secret-risk-assessment-report-for-your-organization).
+
+## Estimating the price of {% data variables.product.prodname_secret_protection %}
+
+{% data reusables.organizations.navigate-to-org %}
+{% data reusables.organizations.security-overview %}
+{% data reusables.security-overview.open-assessments-view %}
+1. On the top right corner of the banner, click **Get started**.
+1. In the dropdown, select **Preview cost and enable Secret Protection**.
+1. In the calculator dialog, choose whether to estimate the cost for:
+   * **All repositories**: Includes every repository in your organization.
+   * **Selected repositories**: Choose specific repositories for the estimate.
+   Once you've made your choices, the calculator shows:
+      * The **estimated monthly cost** for your organization.
+      * The **number of {% data variables.product.prodname_secret_protection %} licenses required**, based on active committers in the last 90 days for the selected repositories.
+      * The **per-committer rate** (for example, $19 per active committer).
+1. To proceed with enabling {% data variables.product.prodname_secret_protection %}, click **Review and enable**.
+
+{% note %}
+
+Did you successfully use the {% data variables.secret-scanning.pricing-calculator %} to estimate the cost of using {% data variables.product.prodname_secret_protection %} features on your organization?
+
+<a href="https://docs.github.io/success-test/yes.html" target="_blank" class="btn btn-outline mt-3 mr-3 no-underline"><span>Yes</span></a>  <a href="https://docs.github.io/success-test/no.html" target="_blank" class="btn btn-outline mt-3 mr-3 no-underline"><span>No</span></a>
+
+{% endnote %}
+
+## Understanding your results
+
+* **The {% data variables.secret-scanning.pricing-calculator %} only provides an estimate.** Actual billing is based on the number of active committers in the selected private repositories during the billing period.
+* The calculator **does not include costs for other {% data variables.product.prodname_GHAS %} features**.
+* The calculator **dynamically calculates active committers** for each repository you select. If two repositories share the same number of committers, adding the second repository shows 0 additional committers, because enabling {% data variables.product.prodname_secret_protection %} for one also covers the other. This helps you quickly see the true incremental cost as you select repositories.
+* USD is the only supported currency.

content/code-security/securing-your-organization/understanding-your-organizations-exposure-to-leaked-secrets/index.md

@@ -15,4 +15,6 @@ children:
   - /viewing-the-secret-risk-assessment-report-for-your-organization
   - /interpreting-secret-risk-assessment-results
   - /choosing-github-secret-protection
+  - /calculating-the-cost-savings-of-push-protection
+  - /estimating-the-price-of-secret-protection
 ---

content/copilot/how-tos/configure-custom-instructions/add-repository-instructions.md

@@ -541,7 +541,7 @@ Your choice persists, for all repositories containing a custom instructions file
 
 ## Enabling and using prompt files
 
-> [!NOTE] Prompt files are {% data variables.release-phases.public_preview %} and subject to change.
+{% data reusables.copilot.prompt-files-preview-note %}
 
 Prompt files let you build and share reusable prompt instructions with additional context. A prompt file is a Markdown file, stored in your workspace, that mimics the existing format of writing prompts in {% data variables.copilot.copilot_chat_short %} (for example, `Rewrite #file:x.ts`). You can have multiple prompt files in your workspace, each of which defines a prompt for a different purpose.
 

content/copilot/tutorials/customization-library/custom-instructions/accessibility-auditor.md

@@ -0,0 +1,125 @@
+---
+title: Accessibility auditor
+intro: 'Instructions for comprehensive web accessibility testing and compliance.'
+versions:
+  feature: copilot
+category:
+  - Custom instructions
+  - Development workflows
+  - Repository
+  - Path-specific
+complexity:
+  - Intermediate
+octicon: book
+topics:
+  - Copilot
+contentType: tutorials
+---
+
+{% data reusables.copilot.customization-examples-note %}
+
+The following example shows a path-specific `accessibility.instructions.md` file that applies only to HTML files in your repository, and guides {% data variables.product.prodname_copilot %} to generate accessible, inclusive HTML that follows WCAG guidelines. For more information about path-specific instructions files, see [AUTOTITLE](/copilot/how-tos/configure-custom-instructions/add-repository-instructions#using-one-or-more-instructionsmd-files).
+
+````text copy
+---
+applyTo: **/*.html
+---
+
+When generating code, ensure accessibility compliance by following these priorities:
+
+## Semantic HTML First
+- Use proper semantic elements: `<nav>`, `<main>`, `<section>`, `<article>`, `<header>`, `<footer>`
+- Structure headings sequentially (h1 → h2 → h3, never skip levels)
+- Use one `<h1>` per page with descriptive heading text
+
+## Essential ARIA Requirements
+- Add `alt` text to all images
+- Label form inputs with `<label>` or `aria-label`
+- Ensure interactive elements have accessible names
+- Use `aria-expanded` for collapsible content
+- Add `role`, `aria-labelledby`, and `aria-describedby` when semantic HTML isn't sufficient
+
+## Keyboard Navigation
+- All interactive elements must be keyboard accessible
+- Provide visible focus indicators (minimum 2px outline)
+- Include skip links: `<a href="#main">Skip to main content</a>`
+- Use logical tab order that matches visual layout
+
+## Color and Contrast
+- Ensure 4.5:1 contrast ratio for normal text, 3:1 for large text
+- Don't rely solely on color to convey information
+
+## Quick Test Questions
+- Can you navigate the entire interface using only Tab/Shift+Tab/Enter?
+- Are all images and icons properly described?
+- Can screen reader users understand the content and functionality?
+
+## Screen Reader Compatibility
+
+**Provide descriptive text for all non-text content:**
+- Images: Use alt text that describes function, not just appearance
+  - Good: `alt="Submit form"`
+  - Avoid: `alt="Blue button"`
+- Form inputs: Associate every input with a `<label>` element
+- Links: Use descriptive link text
+  - Good: "Download the accessibility report (PDF, 2MB)"
+  - Avoid: "Click here" or "Read more"
+
+**Announce dynamic content updates:**
+- Use `aria-live="polite"` for status updates
+- Use `aria-live="assertive"` for urgent notifications
+- Update screen reader users when content changes without page reload
+
+---
+
+## Color and Contrast Requirements
+
+**Meet these specific contrast ratios:**
+- Normal text (under 18pt): Minimum 4.5:1 contrast ratio
+- Large text (18pt+ or 14pt+ bold): Minimum 3:1 contrast ratio
+- UI components and graphics: Minimum 3:1 contrast ratio
+
+**Provide multiple visual cues:**
+- Use color + icon + text for status indicators
+- Add patterns or textures to distinguish chart elements
+- Include text labels on graphs and data visualizations
+
+---
+
+## Testing Integration Steps
+
+**Include these automated checks:**
+1. Run axe-core accessibility scanner in CI/CD pipeline
+2. Test with lighthouse accessibility audit
+3. Validate HTML markup for semantic correctness
+
+**Perform these manual tests:**
+1. Navigate entire interface using only Tab and arrow keys
+2. Test with screen reader (NVDA on Windows, VoiceOver on Mac)
+3. Verify 200% zoom doesn't break layout or hide content
+4. Check color contrast with tools like WebAIM Color Contrast Checker
+
+---
+
+## Form Design Standards
+
+**Create accessible form experiences:**
+- Place labels above or to the left of form fields
+- Group related fields with `<fieldset>` and `<legend>`
+- Display validation errors immediately after the field with `aria-describedby`
+- Use `aria-required="true"` for required fields
+- Provide clear instructions before users start filling out forms
+
+**Error message format:**
+```html
+<input aria-describedby="email-error" aria-invalid="true">
+<div id="email-error">Please enter a valid email address</div>
+```
+
+---
+
+**Code Generation Rule:** Always include accessibility comments explaining ARIA attributes and semantic choices. Test code with keyboard navigation before suggesting it's complete.
+
+````
+
+{% data reusables.copilot.custom-instructions-further-reading %}

content/copilot/tutorials/customization-library/custom-instructions/code-reviewer.md

@@ -0,0 +1,66 @@
+---
+title: Code reviewer
+intro: 'Instructions for thorough and constructive code reviews.'
+versions:
+  feature: copilot
+category:
+  - Custom instructions
+  - Team collaboration
+complexity:
+  - Simple
+octicon: book
+topics:
+  - Copilot
+contentType: tutorials
+---
+
+{% data reusables.copilot.customization-examples-note %}
+
+The following example shows custom instructions to guide {% data variables.product.prodname_copilot %} to provide thorough, constructive code reviews focused on security, performance, and code quality.
+
+```markdown copy
+When reviewing code, focus on:
+
+## Security Critical Issues
+- Check for hardcoded secrets, API keys, or credentials
+- Look for SQL injection and XSS vulnerabilities  
+- Verify proper input validation and sanitization
+- Review authentication and authorization logic
+
+## Performance Red Flags
+- Identify N+1 database query problems
+- Spot inefficient loops and algorithmic issues
+- Check for memory leaks and resource cleanup
+- Review caching opportunities for expensive operations
+
+## Code Quality Essentials
+- Functions should be focused and appropriately sized
+- Use clear, descriptive naming conventions
+- Ensure proper error handling throughout
+
+## Review Style
+- Be specific and actionable in feedback
+- Explain the "why" behind recommendations
+- Acknowledge good patterns when you see them
+- Ask clarifying questions when code intent is unclear
+
+Always prioritize security vulnerabilities and performance issues that could impact users.
+
+Always suggest changes to improve readability. For example, this suggestion seeks to make the code more readable and also makes the validation logic reusable and testable.
+
+// Instead of:
+if (user.email && user.email.includes('@') && user.email.length > 5) {
+  submitButton.enabled = true;
+} else {
+  submitButton.enabled = false;
+}
+
+// Consider:
+function isValidEmail(email) {
+  return email && email.includes('@') && email.length > 5;
+}
+
+submitButton.enabled = isValidEmail(user.email);
+```
+
+{% data reusables.copilot.custom-instructions-further-reading %}