Add docs for secret scanning user defined patterns beta (github#19589)

lucascosti · mchammer01 · Grey Baker · web-flow · commit 31579808f6e8 · 2021-06-04T17:24:11.000Z
* New secret scanning article part 1 * Add other procedures and links * Apply suggestions from code review Co-authored-by: mc <42146119+mchammer01@users.noreply.github.com> * UI variable suggestions Co-authored-by: mc <42146119+mchammer01@users.noreply.github.com> * Clarify org setting and beta note * Fix GHES version * Apply suggestions from @greysteil's code review Co-authored-by: Grey Baker <greysteil@github.com> * Remove beta view restriction * Add section on regex syntax Co-authored-by: Grey Baker <greysteil@github.com> * Regex support edit Co-authored-by: mc <42146119+mchammer01@users.noreply.github.com> Co-authored-by: Grey Baker <greysteil@github.com> Co-authored-by: Amy Burns <timeyoutakeit@github.com>
diff --git a/assets/images/help/repository/secret-scanning-add-custom-pattern.png b/assets/images/help/repository/secret-scanning-add-custom-pattern.png
diff --git a/assets/images/help/repository/secret-scanning-create-custom-pattern.png b/assets/images/help/repository/secret-scanning-create-custom-pattern.png
diff --git a/assets/images/help/repository/secret-scanning-remove-custom-pattern.png b/assets/images/help/repository/secret-scanning-remove-custom-pattern.png
diff --git a/content/code-security/secret-security/about-secret-scanning.md b/content/code-security/secret-security/about-secret-scanning.md
@@ -49,6 +49,8 @@ When {% data variables.product.prodname_secret_scanning %} detects a set of cred
 
 If you're a repository administrator or an organization owner, you can enable {% data variables.product.prodname_secret_scanning %} for {% if currentVersion == "free-pro-team@latest" %} private{% endif %} repositories that are owned by organizations. You can enable  {% data variables.product.prodname_secret_scanning %} for all your repositories, or for all new repositories within your organization.{% if currentVersion == "free-pro-team@latest" %} {% data variables.product.prodname_secret_scanning_caps %} is not available for user-owned private repositories.{% endif %} For more information, see "[Managing security and analysis settings for your repository](/github/administering-a-repository/managing-security-and-analysis-settings-for-your-repository)" and "[Managing security and analysis settings for your organization](/organizations/keeping-your-organization-secure/managing-security-and-analysis-settings-for-your-organization)."
 
+{% if currentVersion == "free-pro-team@latest" or currentVersion ver_gt "enterprise-server@3.1" or currentVersion == "github-ae@next" %}You can also define custom {% data variables.product.prodname_secret_scanning %} patterns that only apply to your repository or organization. For more information, see "[Defining custom patterns for {% data variables.product.prodname_secret_scanning %}](/code-security/secret-security/defining-custom-patterns-for-secret-scanning)."{% endif %}
+
 When you push commits to a{% if currentVersion == "free-pro-team@latest" %} private{% endif %} repository with {% data variables.product.prodname_secret_scanning %} enabled, {% data variables.product.prodname_dotcom %} scans the contents of the commits for secrets.
 
 When {% data variables.product.prodname_secret_scanning %} detects a secret in a{% if currentVersion == "free-pro-team@latest" %} private{% endif %} repository, {% data variables.product.prodname_dotcom %} generates an alert.
@@ -71,11 +73,13 @@ To monitor results from {% data variables.product.prodname_secret_scanning %} ac
 
 {% data reusables.secret-scanning.partner-secret-list-private-repo %}
 
+{% if currentVersion ver_lt "enterprise-server@3.2" or currentVersion == "github-ae@latest" %}
 {% note %}
 
 **Note:** {% data variables.product.prodname_secret_scanning_caps %} does not currently allow you to define your own patterns for detecting secrets.
 
 {% endnote %}
+{% endif %}
 
 ### Further reading
 
diff --git a/content/code-security/secret-security/configuring-secret-scanning-for-your-repositories.md b/content/code-security/secret-security/configuring-secret-scanning-for-your-repositories.md
@@ -32,7 +32,7 @@ topics:
 
 {% if currentVersion ver_gt "enterprise-server@2.22" or currentVersion == "github-ae@next" %}
 You can enable {% data variables.product.prodname_secret_scanning %} for any repository that is owned by an organization. 
-{% endif %} Once enabled, {% data variables.product.prodname_secret_scanning %} will scan for any secrets your entire Git history on all branches present in your {% data variables.product.prodname_dotcom %} repository.
+{% endif %} Once enabled, {% data reusables.secret-scanning.secret-scanning-process %}
 
 {% data reusables.repositories.navigate-to-repo %}
 {% data reusables.repositories.sidebar-settings %}
@@ -85,3 +85,4 @@ You can also ignore individual alerts from {% data variables.product.prodname_se
 ### Further reading
 
 - "[Managing security and analysis settings for your organization](/organizations/keeping-your-organization-secure/managing-security-and-analysis-settings-for-your-organization)"
+{% if currentVersion == "free-pro-team@latest" or currentVersion ver_gt "enterprise-server@3.1" or currentVersion == "github-ae@next" %}- "[Defining custom patterns for {% data variables.product.prodname_secret_scanning %}](/code-security/secret-security/defining-custom-patterns-for-secret-scanning)"{% endif %}
diff --git a/content/code-security/secret-security/defining-custom-patterns-for-secret-scanning.md b/content/code-security/secret-security/defining-custom-patterns-for-secret-scanning.md
@@ -0,0 +1,79 @@
+---
+title: Defining custom patterns for secret scanning
+shortTitle: 'Defining custom patterns'
+intro: 'You can define custom patterns for {% data variables.product.prodname_secret_scanning %} in organizations and private repositories.'
+product: '{% data reusables.gated-features.secret-scanning %}'
+versions:
+  free-pro-team: '*'
+  enterprise-server: '>=3.2'
+  github-ae: 'next'
+topics:
+  - Repositories
+---
+
+{% note %}
+
+**Note:** Custom patterns for {% data variables.product.prodname_secret_scanning %} is currently in beta and is subject to change.
+
+{% endnote %}
+
+### About custom patterns for {% data variables.product.prodname_secret_scanning %}
+
+{% data variables.product.company_short %} performs {% data variables.product.prodname_secret_scanning %} on {% if currentVersion == "free-pro-team@latest" %}public and private{% endif %} repositories for secret patterns provided by {% data variables.product.company_short %} and {% data variables.product.company_short %} partners. For more information on the {% data variables.product.prodname_secret_scanning %} partner program, see "<a href="/developers/overview/secret-scanning" class="dotcom-only">Secret scanning</a>."
+
+However, there can be situations where you want to scan for other secret patterns in your {% if currentVersion == "free-pro-team@latest" %}private{% endif %} repositories. For example, you might have a secret pattern that is internal to your organization. For these situations, you can define custom {% data variables.product.prodname_secret_scanning %} patterns in organizations and {% if currentVersion == "free-pro-team@latest" %}private{% endif %} repositories on {% data variables.product.product_name %}. You can define up to 20 custom patterns for each {% if currentVersion == "free-pro-team@latest" %}private{% endif %} repository or organization.
+
+{% note %}
+
+**Note:** During the beta, there are some limitations when using custom patterns for {% data variables.product.prodname_secret_scanning %}:
+
+* There is no dry-run functionality.
+* You cannot edit custom patterns after they're created. To change a pattern, you must delete it and recreate it.
+* There is no API for creating, editing, or deleting custom patterns. However, results for custom patterns are returned in the [secret scanning alerts API](/rest/reference/secret-scanning).
+
+{% endnote %}
+
+### Regular expression syntax for custom patterns
+
+Custom patterns for {% data variables.product.prodname_secret_scanning %} are specified as regular expressions. {% data variables.product.prodname_secret_scanning_caps %} uses the [Hyperscan library](https://github.com/intel/hyperscan) and only supports Hyperscan regex constructs, which are a subset of PCRE syntax. Hyperscan option modifiers are not supported.  For more information on Hyperscan pattern constructs, see "[Pattern support](http://intel.github.io/hyperscan/dev-reference/compilation.html#pattern-support)" in the Hyperscan documentation.
+
+### Defining a custom pattern for a repository
+
+Before defining a custom pattern, you must ensure that {% data variables.product.prodname_secret_scanning %} is enabled on your repository. For more information, see "[Configuring {% data variables.product.prodname_secret_scanning %} for your repositories](/code-security/secret-security/configuring-secret-scanning-for-your-repositories)."
+
+{% data reusables.repositories.navigate-to-repo %}
+{% data reusables.repositories.sidebar-settings %}
+{% data reusables.repositories.navigate-to-security-and-analysis %}
+{% data reusables.repositories.navigate-to-ghas-settings %}
+{% data reusables.repositories.secret-scanning-add-custom-pattern %}
+
+After your pattern is created, {% data reusables.secret-scanning.secret-scanning-process %} For more information on viewing {% data variables.product.prodname_secret_scanning %} alerts, see "[Managing alerts from {% data variables.product.prodname_secret_scanning %}](/code-security/secret-security/managing-alerts-from-secret-scanning)."
+
+### Defining a custom pattern for an organization
+
+Before defining a custom pattern, you must ensure that you enable {% data variables.product.prodname_secret_scanning %} for the {% if currentVersion == "free-pro-team@latest" %}private{% endif %} repositories that you want to scan in your organization. To enable {% data variables.product.prodname_secret_scanning %} on all {% if currentVersion == "free-pro-team@latest" %}private{% endif %} repositories in your organization, see "[Managing security and analysis settings for your organization](/organizations/keeping-your-organization-secure/managing-security-and-analysis-settings-for-your-organization)."
+
+{% note %}
+
+**Note:** There is no dry-run functionality during the custom patterns beta. To avoid excess false-positive {% data variables.product.prodname_secret_scanning %} alerts, we recommend that you test your custom patterns in a repository before defining them for your entire organization.
+
+{% endnote %}
+
+{% data reusables.profile.access_org %}
+{% data reusables.profile.org_settings %}
+{% data reusables.organizations.security-and-analysis %}
+{% data reusables.repositories.navigate-to-ghas-settings %}
+{% data reusables.repositories.secret-scanning-add-custom-pattern %}
+
+After your pattern is created, {% data variables.product.prodname_secret_scanning %} scans for any secrets in {% if currentVersion == "free-pro-team@latest" %}private{% endif %} repositories in your organization, including their entire Git history on all branches. Organization owners and repository administrators will be alerted to any secrets found, and can review the alert in the repository where the secret is found. For more information on viewing {% data variables.product.prodname_secret_scanning %} alerts, see "[Managing alerts from {% data variables.product.prodname_secret_scanning %}](/code-security/secret-security/managing-alerts-from-secret-scanning)."
+
+### Removing a custom pattern
+
+Removing a custom pattern also closes all the {% data variables.product.prodname_secret_scanning %} alerts that the pattern created.
+
+1. Navigate to the **Security & analysis** settings for the repository or organization where the custom pattern was created. For more information, see "[Defining a custom pattern for a repository](#defining-a-custom-pattern-for-a-repository)" or "[Defining a custom pattern for an organization](#defining-a-custom-pattern-for-an-organization)" above.
+{% data reusables.repositories.navigate-to-ghas-settings %}
+1. Under "{% data variables.product.prodname_secret_scanning_caps %}", find the custom pattern you want to remove and click **Remove**.
+
+   ![Remove a custom {% data variables.product.prodname_secret_scanning %}  pattern](/assets/images/help/repository/secret-scanning-remove-custom-pattern.png)
+1. Review the confirmation and click **Remove custom pattern**.
diff --git a/content/code-security/secret-security/index.md b/content/code-security/secret-security/index.md
@@ -14,6 +14,7 @@ topics:
 children:
   - /about-secret-scanning
   - /configuring-secret-scanning-for-your-repositories
+  - /defining-custom-patterns-for-secret-scanning
   - /managing-alerts-from-secret-scanning
 ---
 
diff --git a/data/reusables/repositories/navigate-to-ghas-settings.md b/data/reusables/repositories/navigate-to-ghas-settings.md
@@ -0,0 +1 @@
+1. Under "Configure security and analysis features", find "{% data variables.product.prodname_GH_advanced_security %}."
diff --git a/data/reusables/repositories/secret-scanning-add-custom-pattern.md b/data/reusables/repositories/secret-scanning-add-custom-pattern.md
@@ -0,0 +1,10 @@
+1. Under "{% data variables.product.prodname_secret_scanning_caps %}", click **Add a {% data variables.product.prodname_secret_scanning %} custom pattern**.
+
+   ![Add a {% data variables.product.prodname_secret_scanning %} custom pattern](/assets/images/help/repository/secret-scanning-add-custom-pattern.png)
+1. Enter the details for your new custom pattern:
+   1. You must at least provide the name for your pattern, and a regular expression for the format of your secret pattern.
+   1. You can click **More options {% octicon "chevron-down" aria-label="down" %}** to provide other surrounding content or additional match requirements for the secret format.
+   1. You can provide a sample test string and click the **Test** button to make sure your configuration is matching the patterns you expect.
+
+   ![Create a custom {% data variables.product.prodname_secret_scanning %} pattern form](/assets/images/help/repository/secret-scanning-create-custom-pattern.png)
+1. When you are satisfied with your new custom pattern, click **Create custom pattern**.
diff --git a/data/reusables/secret-scanning/about-secret-scanning.md b/data/reusables/secret-scanning/about-secret-scanning.md
@@ -1,2 +1,2 @@
-If someone checks a secret from a {% data variables.product.company_short %} partner into a {% if currentVersion == "free-pro-team@latest" %}public or private{% endif %} repository on {% data variables.product.product_name %}, {% data variables.product.prodname_secret_scanning %} catches the secret as it's checked in, and helps you mitigate the impact of the leak. 
+If someone checks a secret with a known pattern into a {% if currentVersion == "free-pro-team@latest" %}public or private{% endif %} repository on {% data variables.product.product_name %}, {% data variables.product.prodname_secret_scanning %} catches the secret as it's checked in, and helps you mitigate the impact of the leak. 
 Repository administrators are notified about any commit that contains a secret, and they can quickly view all detected secrets in the Security tab for the repository.
diff --git a/data/reusables/secret-scanning/secret-scanning-process.md b/data/reusables/secret-scanning/secret-scanning-process.md
@@ -0,0 +1 @@
+{% data variables.product.prodname_secret_scanning %} scans for any secrets in your entire Git history on all branches present in your {% data variables.product.prodname_dotcom %} repository.

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+1. Under "Configure security and analysis features", find "{% data variables.product.prodname_GH_advanced_security %}."`
Original file line number	Diff line number	Diff line change
`@@ -1,2 +1,2 @@`
`1`		`-If someone checks a secret from a {% data variables.product.company_short %} partner into a {% if currentVersion == "free-pro-team@latest" %}public or private{% endif %} repository on {% data variables.product.product_name %}, {% data variables.product.prodname_secret_scanning %} catches the secret as it's checked in, and helps you mitigate the impact of the leak.`
	`1`	`+If someone checks a secret with a known pattern into a {% if currentVersion == "free-pro-team@latest" %}public or private{% endif %} repository on {% data variables.product.product_name %}, {% data variables.product.prodname_secret_scanning %} catches the secret as it's checked in, and helps you mitigate the impact of the leak.`
`2`	`2`	`Repository administrators are notified about any commit that contains a secret, and they can quickly view all detected secrets in the Security tab for the repository.`