Repo sync

.github/workflows/sync-codeql-cli.yml

@@ -92,7 +92,7 @@ jobs:
 
           branchCheckout=$(git checkout -b $branchname)
           if [[ ! $? -eq 0 ]]; then
-            echo "Branch $branchname already exists in `github/docs-internal`. Exiting..."
+            echo "Branch $branchname already exists in 'github/docs-internal'. Exiting..."
             exit 0
           fi
           git add .

content/code-security/securing-your-organization/understanding-your-organizations-exposure-to-leaked-secrets/about-secret-risk-assessment.md

@@ -56,8 +56,4 @@ Because the {% data variables.product.prodname_secret_risk_assessment %} report
 
 ## Next steps
 
-Now that you know about the {% data variables.product.prodname_secret_risk_assessment %} report, you may want to learn how to:
-
-* Generate the report to see your organization risk. Navigate to {% data reusables.security-overview.navigate-to-risk-assessment %}.
-* Interpret the results of the report. See [AUTOTITLE](/code-security/securing-your-organization/understanding-your-organizations-exposure-to-leaked-secrets/interpreting-secret-risk-assessment-results).
-* Enable {% data variables.product.prodname_GH_secret_protection %} to improve your secret leak footprint. See [AUTOTITLE](/code-security/securing-your-organization/understanding-your-organizations-exposure-to-leaked-secrets/choosing-github-secret-protection#enabling-secret-protection).
+To start analyzing your organization's secret risk, see [AUTOTITLE](/code-security/securing-your-organization/understanding-your-organizations-exposure-to-leaked-secrets/assess-your-secret-risk).

content/code-security/securing-your-organization/understanding-your-organizations-exposure-to-leaked-secrets/assess-your-secret-risk.md

@@ -0,0 +1,42 @@
+---
+title: 'Running the secret risk assessment for your organization'
+shortTitle: 'Assess your secret risk'
+intro: 'Determine your organization''s exposure to leaked secrets by generating a {% data variables.product.prodname_secret_risk_assessment %} report.'
+product: '{% data reusables.gated-features.secret-risk-assessment-report %}'
+permissions: '{% data reusables.permissions.secret-risk-assessment-report-generation %}'
+type: how_to
+versions:
+  feature: secret-risk-assessment
+topics:
+  - Code Security
+  - Secret scanning
+  - Secret Protection
+  - Organizations
+  - Security
+---
+
+## Generating an initial {% data variables.product.prodname_secret_risk_assessment %}
+
+{% data reusables.organizations.navigate-to-org %}
+{% data reusables.organizations.security-overview %}
+{% data reusables.security-overview.open-assessments-view %}
+{% data reusables.security-overview.generate-secret-risk-assessment-report %}
+
+    {% data reusables.secret-risk-assessment.notification-report-ready %}
+
+## Rerunning the {% data variables.product.prodname_secret_risk_assessment %}
+
+> [!NOTE]
+> You can only generate a secret risk assessment report once every 90 days.
+
+{% data reusables.organizations.navigate-to-org %}
+{% data reusables.organizations.security-overview %}
+{% data reusables.security-overview.open-assessments-view %}
+1. Towards the top right side of the existing report, click {% octicon "kebab-horizontal" aria-label="The horizontal kebab icon" %}.
+1. Select **Rerun scan**.
+
+    {% data reusables.secret-risk-assessment.notification-report-ready %}
+
+## Next steps
+
+Now that you've generated a {% data variables.product.prodname_secret_risk_assessment %} report for your organization, learn how to interpret the results. See [AUTOTITLE](/code-security/securing-your-organization/understanding-your-organizations-exposure-to-leaked-secrets/interpreting-secret-risk-assessment-results).

content/code-security/securing-your-organization/understanding-your-organizations-exposure-to-leaked-secrets/export-risk-report-csv.md

@@ -0,0 +1,25 @@
+---
+title: 'Exporting the secret risk assessment report to CSV'
+shortTitle: 'Export risk report CSV'
+intro: 'Export the {% data variables.product.prodname_secret_risk_assessment %} report to a CSV file for detailed investigation and stakeholder sharing.'
+product: '{% data reusables.gated-features.secret-risk-assessment-report %}'
+permissions: '{% data reusables.permissions.secret-risk-assessment-report-generation %}'
+type: how_to
+versions:
+  feature: secret-risk-assessment
+topics:
+  - Code Security
+  - Secret scanning
+  - Secret Protection
+  - Organizations
+  - Security
+---
+
+{% data reusables.organizations.navigate-to-org %}
+{% data reusables.organizations.security-overview %}
+{% data reusables.security-overview.open-assessments-view %}
+1. Towards the top-right side of the report, select the {% octicon "kebab-horizontal" aria-label="More options" %} dropdown menu, then click {% octicon "download" aria-hidden="true" aria-label="download" %} **Download CSV**.
+
+## Next steps
+
+To better understand the fields of your CSV file, see [AUTOTITLE](/code-security/securing-your-organization/understanding-your-organizations-exposure-to-leaked-secrets/risk-report-csv-contents).

content/code-security/securing-your-organization/understanding-your-organizations-exposure-to-leaked-secrets/index.md

@@ -12,7 +12,10 @@ topics:
   - Security
 children:
   - /about-secret-risk-assessment
+  - /assess-your-secret-risk
   - /viewing-the-secret-risk-assessment-report-for-your-organization
+  - /export-risk-report-csv
+  - /risk-report-csv-contents
   - /interpreting-secret-risk-assessment-results
   - /choosing-github-secret-protection
   - /calculating-the-cost-savings-of-push-protection

content/code-security/securing-your-organization/understanding-your-organizations-exposure-to-leaked-secrets/interpreting-secret-risk-assessment-results.md

@@ -23,7 +23,7 @@ In this tutorial, you'll interpret your secret risk assessment results, and lear
 
 ## Prerequisites
 
-You must generate a {% data variables.product.prodname_secret_risk_assessment %} report and wait for the scan to complete. See [AUTOTITLE](/code-security/securing-your-organization/understanding-your-organizations-exposure-to-leaked-secrets/viewing-the-secret-risk-assessment-report-for-your-organization#generating-an-initial-secret-risk-assessment).
+You must generate a {% data variables.product.prodname_secret_risk_assessment %} report and wait for the scan to complete. See [AUTOTITLE](/code-security/securing-your-organization/understanding-your-organizations-exposure-to-leaked-secrets/assess-your-secret-risk).
 
 ## Step 1: Understand your dashboard metrics
 
@@ -71,7 +71,7 @@ If you see **many secrets of the same type** (for example, multiple AWS keys), t
 * Developers may not be using environment variables
 * Missing documentation on secret management
 
-## Step 5: Prioritizing remediation and related actions
+## Step 5: Prioritize remediation and related actions
 
 Now that you understand the metrics, prioritize remediation based on risk.
 

content/code-security/securing-your-organization/understanding-your-organizations-exposure-to-leaked-secrets/risk-report-csv-contents.md

@@ -0,0 +1,32 @@
+---
+title: 'Contents of the secret risk assessment report CSV'
+shortTitle: 'Risk report CSV contents'
+intro: 'Understand the data included in the CSV export of the {% data variables.product.prodname_secret_risk_assessment %} report.'
+product: '{% data reusables.gated-features.secret-risk-assessment-report %}'
+permissions: '{% data reusables.permissions.secret-risk-assessment-report-generation %}'
+type: reference
+versions:
+  feature: secret-risk-assessment
+topics:
+  - Code Security
+  - Secret scanning
+  - Secret Protection
+  - Organizations
+  - Security
+---
+
+The {% data variables.product.prodname_secret_risk_assessment %} report CSV file includes the following information:
+
+| CSV column | Name                   | Description                                               |
+| ---------- | ---------------------- | --------------------------------------------------------- |
+| A          | `Organization Name`    | The name of the organization the secret was detected in |
+| B          | `Name`                 | The token name for the type of secret |
+| C          | `Slug`                 | The normalized string for the token. This corresponds to `Token` in the table of supported secrets. See [AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#supported-secrets). |
+| D          | `Push Protected`       | A `boolean` to indicate whether the secret would be detected and blocked by push protection if it were enabled |
+| E          | `Non-Provider Pattern` | A `boolean` to indicate whether the secret matched a non-provider pattern and would generate an alert if {% data variables.product.prodname_secret_scanning %} with non-provider patterns were enabled |
+| F          | `Secret Count`         | An aggregate count of the active and inactive secrets found for the token type |
+| G          | `Repository Count`         | An aggregate count of distinct repositories in which the secret type was found, including public, private,{% ifversion ghec or ghes %} internal,{% endif %} and archived repositories |
+
+## Next steps
+
+To learn which secrets you should prioritize for remediation, see [AUTOTITLE](/code-security/securing-your-organization/understanding-your-organizations-exposure-to-leaked-secrets/interpreting-secret-risk-assessment-results#step-5-prioritizing-remediation-and-related-actions).

content/code-security/securing-your-organization/understanding-your-organizations-exposure-to-leaked-secrets/viewing-the-secret-risk-assessment-report-for-your-organization.md

@@ -1,7 +1,7 @@
 ---
 title: 'Viewing the secret risk assessment report for your organization'
-shortTitle: 'View secret risk assessment'
-intro: 'You can generate and view the {% data variables.product.prodname_secret_risk_assessment %} report for your organization from the "Security" tab.'
+shortTitle: 'View risk report'
+intro: 'Understand your organization''s exposure to leaked secrets at a glance by viewing your most recent {% data variables.product.prodname_secret_risk_assessment %} report.'
 product: '{% data reusables.gated-features.secret-risk-assessment-report %}'
 permissions: '{% data reusables.permissions.secret-risk-assessment-report-generation %}'
 allowTitleToDifferFromFilename: true
@@ -16,65 +16,6 @@ topics:
   - Security
 ---
 
-{% data reusables.secret-risk-assessment.report-intro %} {% data reusables.secret-risk-assessment.link-conceptual-information %}
-
-You can generate the {% data variables.product.prodname_secret_risk_assessment %} report for your organization, review it, and export the results to CSV.
-
-## Generating an initial {% data variables.product.prodname_secret_risk_assessment %}
-
-{% data reusables.organizations.navigate-to-org %}
-{% data reusables.organizations.security-overview %}
-{% data reusables.security-overview.open-assessments-view %}
-{% data reusables.security-overview.generate-secret-risk-assessment-report %}
-
-{% data reusables.secret-risk-assessment.notification-report-ready %}
-
-{% note %}
-
-Did you successfully generate the {% data variables.product.prodname_secret_risk_assessment %} report for your organization?
-
-<a href="https://docs.github.io/success-test/yes.html" target="_blank" class="btn btn-outline mt-3 mr-3 no-underline"><span>Yes</span></a>  <a href="https://docs.github.io/success-test/no.html" target="_blank" class="btn btn-outline mt-3 mr-3 no-underline"><span>No</span></a>
-
-{% endnote %}
-
-## Rerunning the {% data variables.product.prodname_secret_risk_assessment %}
-
-{% data reusables.security-overview.secret-risk-assessment-report-generation-cadence %}
-
-{% data reusables.organizations.navigate-to-org %}
-{% data reusables.organizations.security-overview %}
-{% data reusables.security-overview.open-assessments-view %}
-1. Towards the top right side of the existing report, click {% octicon "kebab-horizontal" aria-label="The horizontal kebab icon" %}.
-1. Select **Rerun scan**.
-
-    {% data reusables.secret-risk-assessment.notification-report-ready %}
-
-## Viewing the {% data variables.product.prodname_secret_risk_assessment %}
-
 {% data reusables.organizations.navigate-to-org %}
 {% data reusables.organizations.security-overview %}
 {% data reusables.security-overview.open-assessments-view %} You can see the most recent report on this page.
-
-## Exporting the {% data variables.product.prodname_secret_risk_assessment %} to CSV
-
-{% data reusables.organizations.navigate-to-org %}
-{% data reusables.organizations.security-overview %}
-{% data reusables.security-overview.open-assessments-view %}
-1. Towards the top right side of the report, click {% octicon "kebab-horizontal" aria-label="More options" %}.
-1. Select **Download CSV**.
-
-The {% data variables.product.prodname_secret_risk_assessment %} CSV file includes the following information.
-
-| CSV column | Name                   | Description                                               |
-| ---------- | ---------------------- | --------------------------------------------------------- |
-| A          | `Organization Name`    | The name of the organization the secret was detected in |
-| B          | `Name`                 | The token name for the type of secret |
-| C          | `Slug`                 | The normalized string for the token. This corresponds to `Token` in the table of supported secrets. See [AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#supported-secrets). |
-| D          | `Push Protected`       | A `boolean` to indicate whether the secret would be detected and blocked by push protection if it were enabled |
-| E          | `Non-Provider Pattern` | A `boolean` to indicate whether the secret matched a non-provider pattern and would generate an alert if {% data variables.product.prodname_secret_scanning %} with non-provider patterns were enabled |
-| F          | `Secret Count`         | An aggregate count of the active and inactive secrets found for the token type |
-| G          | `Repository Count`         | An aggregate count of distinct repositories in which the secret type was found, including public, private,{% ifversion ghec or ghes %} internal{% endif %}, and archived repositories |
-
-## Next steps
-
-Now that you've generated {% data variables.product.prodname_secret_risk_assessment %} for your organization, learn how to interpret the results. See [AUTOTITLE](/code-security/securing-your-organization/understanding-your-organizations-exposure-to-leaked-secrets/interpreting-secret-risk-assessment-results).

data/reusables/gated-features/secret-risk-assessment-report.md

@@ -1 +1 @@
-{% data variables.product.prodname_secret_risk_assessment_caps %} is available for free in organizations on {% data variables.product.prodname_team %} and {% data variables.product.prodname_enterprise %}
+Free for organizations on {% data variables.product.prodname_team %} and {% data variables.product.prodname_enterprise %}

src/content-linter/lib/linting-rules/table-column-integrity.ts

@@ -10,8 +10,9 @@ const TABLE_ROW_REGEX = /^\s*\|.*\|\s*$/
 // Regex to detect table separator rows (contains only |, :, -, and whitespace)
 const TABLE_SEPARATOR_REGEX = /^\s*\|[\s\-:|\s]*\|\s*$/
 // Regex to detect Liquid-only cells (whitespace, liquid tag, whitespace)
-const LIQUID_ONLY_CELL_REGEX = /^\s*{%\s*(ifversion|else|endif|elsif).*%}\s*$/
-
+const LIQUID_ONLY_CELL_REGEX = /^\s*{%\s*(ifversion|else|endif|elsif|for|endfor).*%}\s*$/
+// Regex to use for splitting on non-escaped pipes only
+const NON_ESCAPED_PIPE_REGEX = /(?<!\\)\|/
 /**
  * Counts the number of columns in a table row by splitting on | and handling edge cases
  */
@@ -24,8 +25,9 @@ function countColumns(row: string): number {
     return 0
   }
 
-  // Split by | and filter out empty cells at start/end (from leading/trailing |)
-  const cells = trimmed.split('|')
+  // Split by '|' (but ignore escaped '\|' as these are not true separators)
+  // Filter out empty cells at start/end (from leading/trailing |)
+  const cells = trimmed.split(NON_ESCAPED_PIPE_REGEX)
 
   // Remove first and last elements if they're empty (from leading/trailing |)
   if (cells.length > 0 && cells[0].trim() === '') {
@@ -45,7 +47,7 @@ function isLiquidOnlyRow(row: string): boolean {
   const trimmed = row.trim()
   if (!trimmed.includes('|')) return false
 
-  const cells = trimmed.split('|')
+  const cells = trimmed.split(NON_ESCAPED_PIPE_REGEX)
   // Remove empty cells from leading/trailing |
   const filteredCells = cells.filter((cell, index) => {
     if (index === 0 && cell.trim() === '') return false
@@ -72,10 +74,22 @@ export const tableColumnIntegrity = {
 
     const lines = params.lines
     let inTable = false
+    let inCodeFence = false
     let expectedColumnCount: number | null = null
 
     for (let i = 0; i < lines.length; i++) {
       const line = lines[i]
+
+      // Toggle code fence state
+      if (line.trim().startsWith('```')) {
+        inCodeFence = !inCodeFence
+        continue
+      }
+
+      if (inCodeFence) {
+        continue
+      }
+
       const isTableRow = TABLE_ROW_REGEX.test(line)
       const isSeparatorRow = TABLE_SEPARATOR_REGEX.test(line)