diff --git a/content/code-security/concepts/about-code-quality.md b/content/code-security/concepts/about-code-quality.md index 0e22b6e47814..323f0d0efe17 100644 --- a/content/code-security/concepts/about-code-quality.md +++ b/content/code-security/concepts/about-code-quality.md @@ -28,6 +28,7 @@ With {% data variables.product.prodname_code_quality_short %}, you can: * Identify code quality risks and opportunities in **pull requests** and through **repository scans**. * Review clear explanations for findings and apply one-click **{% data variables.product.prodname_copilot_short %}-powered autofixes**. * Use **repository dashboards** to track reliability and maintainability scores, identify areas needing attention, and prioritize remediation. +* Monitor **organization dashboards** to understand the code health of your repositories at a glance and determine which repositories to investigate further. * Set up **rulesets** for pull requests to enforce code quality standards and block changes that do not meet your criteria. * Easily assign remediation work to **{% data variables.copilot.copilot_coding_agent %}**, if you have a {% data variables.product.prodname_copilot_short %} license. @@ -49,7 +50,7 @@ With {% data variables.product.prodname_code_quality_short %}, you can: {% data variables.product.prodname_code_quality_short %} also performs AI-powered analysis with results displayed separately on the "**{% data variables.code-quality.recent_suggestions %}**" repository dashboard. Unlike the rule-based {% data variables.product.prodname_codeql %} analysis that scans the entire codebase and pull requests, this AI-powered analysis only examines files recently pushed to the default branch and may identify issues in languages beyond those listed above. For more information, see [AUTOTITLE](/code-security/code-quality/responsible-use/code-quality). -## Understanding where {% data variables.product.prodname_code_quality_short %} findings appear after enablement +## Where will findings appear? Once you enable {% data variables.product.prodname_code_quality_short %} for a repository, you'll see {% data variables.product.prodname_codeql %} scans for: @@ -76,5 +77,5 @@ Each {% data variables.product.prodname_codeql %} analysis will use {% data vari ## Next steps -* Enable {% data variables.product.prodname_code_quality_short %} for your repository, see [AUTOTITLE](/code-security/code-quality/how-tos/enable-code-quality). Enterprise owners **may** need to first update their Advanced Security policies, see [AUTOTITLE](/code-security/code-quality/how-tos/allow-in-enterprise) +* Enable {% data variables.product.prodname_code_quality_short %} for your repository, see [AUTOTITLE](/code-security/code-quality/how-tos/enable-code-quality). Enterprise owners **may** need to first update their Advanced Security policies, see [AUTOTITLE](/code-security/code-quality/how-tos/allow-in-enterprise). * See how {% data variables.product.prodname_code_quality %} works on your default branch to surface code quality issues and help you understand your repository's code health at a glance. See [AUTOTITLE](/code-security/code-quality/get-started/quickstart). diff --git a/content/code-security/how-tos/maintain-quality-code/enable-code-quality.md b/content/code-security/how-tos/maintain-quality-code/enable-code-quality.md index e109d1bd3d49..3e6221e415bd 100644 --- a/content/code-security/how-tos/maintain-quality-code/enable-code-quality.md +++ b/content/code-security/how-tos/maintain-quality-code/enable-code-quality.md @@ -41,5 +41,5 @@ redirect_from: ## Next steps -* Learn about the code quality backlog for your repository. See [AUTOTITLE](/code-security/code-quality/how-tos/interpret-results). -* Find and fix code quality issues before they reach your default branch. See [AUTOTITLE](/code-security/code-quality/tutorials/fix-findings-in-prs). +* **For your repository:** Understand your code quality backlog in detail. See [AUTOTITLE](/code-security/code-quality/how-tos/interpret-results). +* **For your organization:** Understand the code health of your repositories at a glance. See [AUTOTITLE](/code-security/how-tos/view-and-interpret-data/analyze-organization-data/explore-code-quality). diff --git a/content/code-security/how-tos/secure-at-scale/configure-enterprise-security/configure-specific-tools/allow-github-code-quality-in-enterprise.md b/content/code-security/how-tos/secure-at-scale/configure-enterprise-security/configure-specific-tools/allow-github-code-quality-in-enterprise.md index cc8cea2907d2..8cafad641e58 100644 --- a/content/code-security/how-tos/secure-at-scale/configure-enterprise-security/configure-specific-tools/allow-github-code-quality-in-enterprise.md +++ b/content/code-security/how-tos/secure-at-scale/configure-enterprise-security/configure-specific-tools/allow-github-code-quality-in-enterprise.md @@ -37,4 +37,4 @@ For more information about policies for {% data variables.product.prodname_AS %} ## Next steps -To see {% data variables.product.prodname_code_quality_short %} in action, turn the feature on for one or more repositories, [AUTOTITLE](/code-security/code-quality/how-tos/enable-code-quality). +To see {% data variables.product.prodname_code_quality_short %} in action, turn the feature on for one or more repositories. See [AUTOTITLE](/code-security/code-quality/how-tos/enable-code-quality). diff --git a/content/code-security/how-tos/view-and-interpret-data/analyze-organization-data/explore-code-quality.md b/content/code-security/how-tos/view-and-interpret-data/analyze-organization-data/explore-code-quality.md new file mode 100644 index 000000000000..d3873d5084ed --- /dev/null +++ b/content/code-security/how-tos/view-and-interpret-data/analyze-organization-data/explore-code-quality.md @@ -0,0 +1,53 @@ +--- +title: Exploring GitHub Code Quality results in your organization +shortTitle: Explore code quality +intro: Understand your organization's code health at a glance with the organization-level dashboard for {% data variables.product.prodname_code_quality_short %}. +product: '{% data reusables.gated-features.code-quality-availability %}' +permissions: 'Organization members' +contentType: how-tos +versions: + feature: code-quality +topics: + - Code Quality +--- + +{% data reusables.code-quality.code-quality-preview-note %} + +## Prerequisites + +* If your organization belongs to an enterprise, an enterprise owner must enable {% data variables.product.prodname_code_quality_short %} for your organization. See [AUTOTITLE](/code-security/how-tos/secure-at-scale/configure-enterprise-security/configure-specific-tools/allow-github-code-quality-in-enterprise). +* Your organization must have repositories with {% data variables.product.prodname_code_quality_short %} enabled. See [AUTOTITLE](/code-security/how-tos/maintain-quality-code/enable-code-quality). + +## Viewing code quality insights for your organization + +1. On {% data variables.product.prodname_dotcom %}, navigate to the main page of your organization. For example, from [https://github.com/settings/organizations](https://github.com/settings/organizations?ref_product=github&ref_type=engagement&ref_style=text). +{% data reusables.organizations.security-overview %} +1. In the "Metrics" section of the sidebar, click {% octicon "code-square" aria-hidden="true" aria-label="code-square" %} **Code quality**. + +> [!NOTE] The dashboard only displays data for repositories where the viewer can see code quality findings. + +## Interpreting the score distribution chart + +The score distribution chart provides a visual overview of the code health of your organization. Each bubble represents a collection of repositories with the same maintainability and reliability scores. +* The **position** of each bubble demonstrates the overall health of those repositories. Higher bubbles represent higher maintainability scores, while bubbles further to the right represent higher reliability scores. +* The **color and border pattern** of a bubble indicate the severity of the lower score for those repositories. For example, a bubble with a "Needs improvement" score in either category will always be red with a dashed border. +* The **size** of each bubble represents the number of repositories with that particular score combination. + +To view the maintainability score, reliability score, and number of repositories represented by a particular bubble, hover over the bubble. + +## Exploring the repository table + +Below the bubble chart, there is a table that lists all repositories in your organization. Here, you can view code quality findings, along with more detailed information about those findings. + +You can sort the repository table in ascending or descending order for any column by clicking the column header. + +## Investigating low-scoring repositories + +1. To filter the dashboard data for the lowest-performing repositories, on the score distribution chart, click the bubble with the lowest combined scores. +1. Scroll down to the repository table. By default, the table is sorted from most to least recent repository scan, helping you prioritize current quality issues. +1. Optionally, to prioritize repositories with the highest number of {% data variables.product.prodname_codeql %} findings, click **Standard Findings** twice. +1. To view the repository-level dashboard for a specific repository, click the repository's name. + +## Next steps + +To understand the code health information available on the repository-level dashboard, see [AUTOTITLE](/code-security/how-tos/maintain-quality-code/interpret-results). diff --git a/content/code-security/how-tos/view-and-interpret-data/analyze-organization-data/index.md b/content/code-security/how-tos/view-and-interpret-data/analyze-organization-data/index.md index ec244d0d4b17..8a87fcfb7265 100644 --- a/content/code-security/how-tos/view-and-interpret-data/analyze-organization-data/index.md +++ b/content/code-security/how-tos/view-and-interpret-data/analyze-organization-data/index.md @@ -18,6 +18,7 @@ contentType: how-tos children: - /assessing-code-security-risk - /assessing-adoption-code-security + - /explore-code-quality - /exporting-data-from-security-overview - /viewing-security-insights - /interpreting-security-findings diff --git a/content/code-security/reference/supply-chain-security/dependabot-options-reference.md b/content/code-security/reference/supply-chain-security/dependabot-options-reference.md index 49d4a24ff91a..b71cc5cfa1e4 100644 --- a/content/code-security/reference/supply-chain-security/dependabot-options-reference.md +++ b/content/code-security/reference/supply-chain-security/dependabot-options-reference.md @@ -281,8 +281,11 @@ Parameters | Purpose | | `IDENTIFIER` | Define an identifier for the group to use in branch names and pull request titles. This must start and end with a letter, and can contain letters, pipes `\|`, underscores `_`, or hyphens `-`. | | `applies-to` | Specify which type of update the group applies to. When undefined, defaults to version updates. Supported values: `version-updates` or `security-updates`. | | `dependency-type` | Limit the group to a type. Supported values: `development` or `production`. | -| `patterns` | Define one or more patterns to include dependencies with matching names. | | `exclude-patterns` | Define one or more patterns to exclude dependencies from the group. | +| {% ifversion dependabot-updates-group-by %} | +| `group-by` | Group updates across multiple directories. Supported value: `dependency-name`. | +| {% endif %} | +| `patterns` | Define one or more patterns to include dependencies with matching names. | | `update-types` | Limit the group to one or more semantic versioning levels. Supported values: `minor`, `patch`, and `major`. | ### `dependency-type` (`groups`) @@ -294,6 +297,29 @@ By default, a group will include all types of dependencies. * Use `development` to include only dependencies in the "Development dependency group." * Use `production` to include only dependencies in the "Production dependency group." +{% ifversion dependabot-updates-group-by %} + +### `group-by` (`groups`) + +Use `groups..group-by` to specify how {% data variables.product.prodname_dependabot %} should group updates across multiple directories in a monorepo. + +* **Type:** String +* **Accepted values:** `dependency-name` +* **Applies to:** Configurations with multiple directories specified + +When set to `dependency-name`, {% data variables.product.prodname_dependabot %} will create a single pull request for each dependency update across all specified directories, rather than separate pull requests per directory. + +**Limitations of cross-directory grouping** + +When using `group-by: dependency-name`: +* All directories must use the same package ecosystem (for example, all `npm` or all `bundler`) +* Applies to **version updates only** +* If directories have incompatible version constraints for a dependency, {% data variables.product.prodname_dependabot %} will create separate pull requests + +For examples showing the use of `group-by`, see [AUTOTITLE](/code-security/tutorials/secure-your-dependencies/optimizing-pr-creation-version-updates#grouping-updates-across-directories-in-a-monorepo). + +{% endif %} + ### `patterns` and `exclude-patterns` (`groups`) Both options support using `*` as a wild card to define matches with dependency names. If a dependency matches both a pattern and an exclude-pattern, then it is excluded from the group. diff --git a/content/code-security/tutorials/improve-code-quality/index.md b/content/code-security/tutorials/improve-code-quality/index.md index 3a08f87c5960..4d41862179d1 100644 --- a/content/code-security/tutorials/improve-code-quality/index.md +++ b/content/code-security/tutorials/improve-code-quality/index.md @@ -15,4 +15,3 @@ children: redirect_from: - /code-security/code-quality/tutorials --- - diff --git a/content/code-security/tutorials/secure-your-dependencies/optimizing-pr-creation-version-updates.md b/content/code-security/tutorials/secure-your-dependencies/optimizing-pr-creation-version-updates.md index 89c75b22f00e..82df43152c15 100644 --- a/content/code-security/tutorials/secure-your-dependencies/optimizing-pr-creation-version-updates.md +++ b/content/code-security/tutorials/secure-your-dependencies/optimizing-pr-creation-version-updates.md @@ -110,6 +110,8 @@ See also [`cooldown`](/code-security/dependabot/working-with-dependabot/dependab ## Prioritizing meaningful updates +### Grouping related dependencies together + You can use `groups` to consolidate updates for multiple dependencies into a single pull request. This helps you focus your review time on higher risk updates, and minimize the time spent reviewing minor version updates. For example, you can combine updates for minor or patch updates for development dependencies into a single pull request, and have a dedicated group for security or version updates that impact a key area of your codebase. You must configure groups per individual package ecosystem, then you can create multiple groups per package ecosystem using a combination of criteria: @@ -124,3 +126,36 @@ To see all supported values for each criterion, see [`groups`](/code-security/de The below examples present several different methods to create groups of dependencies using the criteria. {% data reusables.dependabot.dependabot-version-updates-groups-yaml-example %} + +{% ifversion dependabot-updates-group-by %} + +### Grouping updates across directories in a monorepo + +If you manage a monorepo with multiple directories that share common dependencies, you can reduce the number of pull requests for version updates by grouping updates by dependency name across all directories. + +When you configure {% data variables.product.prodname_dependabot %} to monitor multiple directories and enable grouping by dependency name, {% data variables.product.prodname_dependabot %} will: +* Create a single pull request for each dependency update that affects multiple directories +* Update the same dependency to the same version across all directories in one operation +* Reduce the number of pull requests you need to review +* Minimize CI/CD costs by running tests once instead of per directory + +For more information, see [`group-by`](/code-security/reference/supply-chain-security/dependabot-options-reference#group-by-groups). + +This configuration example groups updates by dependency name across the `/frontend`, `/admin-panel`, and `/mobile-app` directories. If `lodash` needs to be updated in all three directories, {% data variables.product.prodname_dependabot %} will create a single pull request named "Bump lodash in monorepo-dependencies group" that updates `lodash` in all three locations. + +```yaml +version: 2 +updates: + - package-ecosystem: "npm" + directories: + - "/frontend" + - "/admin-panel" + - "/mobile-app" + schedule: + interval: "weekly" + groups: + monorepo-dependencies: + group-by: dependency-name +``` + +{% endif %} diff --git a/data/features/dependabot-updates-group-by.yml b/data/features/dependabot-updates-group-by.yml new file mode 100644 index 000000000000..e51ab72397aa --- /dev/null +++ b/data/features/dependabot-updates-group-by.yml @@ -0,0 +1,5 @@ +# Reference: Issue #20890 - Dependabot can group updates by dependency name across multiple directories in a monorepo [GA] +versions: + fpt: '*' + ghec: '*' + ghes: '>= 3.21' diff --git a/data/reusables/gated-features/code-quality-availability.md b/data/reusables/gated-features/code-quality-availability.md index 1769e0d44f86..f7568fb84e46 100644 --- a/data/reusables/gated-features/code-quality-availability.md +++ b/data/reusables/gated-features/code-quality-availability.md @@ -1,3 +1,3 @@ {% ifversion fpt or ghec %} -{% data variables.product.prodname_code_quality %} is available for organization-owned repositories on {% data variables.product.prodname_team %} or {% data variables.product.prodname_ghe_cloud %} +{% data variables.product.prodname_team %} or {% data variables.product.prodname_ghe_cloud %} {% endif %} diff --git a/src/secret-scanning/data/pattern-docs/fpt/public-docs.yml b/src/secret-scanning/data/pattern-docs/fpt/public-docs.yml index 5adefd6e8bab..ae3b122c4359 100644 --- a/src/secret-scanning/data/pattern-docs/fpt/public-docs.yml +++ b/src/secret-scanning/data/pattern-docs/fpt/public-docs.yml @@ -1126,7 +1126,7 @@ supportedSecret: Baidu AI API Key secretType: baiduai_api_key isPublic: true - isPrivateWithGhas: false + isPrivateWithGhas: true hasPushProtection: false hasValidityCheck: false hasExtendedMetadata: false @@ -1697,7 +1697,7 @@ secretType: datadog_rcm isPublic: false isPrivateWithGhas: true - hasPushProtection: false + hasPushProtection: true hasValidityCheck: false hasExtendedMetadata: false base64Supported: false @@ -2561,7 +2561,7 @@ secretType: hubspot_private_apps_user_token isPublic: true isPrivateWithGhas: true - hasPushProtection: false + hasPushProtection: true hasValidityCheck: false hasExtendedMetadata: false base64Supported: false @@ -3411,7 +3411,7 @@ secretType: openweather_api_key isPublic: false isPrivateWithGhas: true - hasPushProtection: false + hasPushProtection: true hasValidityCheck: false hasExtendedMetadata: false base64Supported: false @@ -3781,7 +3781,7 @@ secretType: proctorio_consumer_key isPublic: true isPrivateWithGhas: true - hasPushProtection: false + hasPushProtection: true hasValidityCheck: false hasExtendedMetadata: false base64Supported: false @@ -3791,7 +3791,7 @@ secretType: proctorio_linkage_key isPublic: true isPrivateWithGhas: true - hasPushProtection: false + hasPushProtection: true hasValidityCheck: false hasExtendedMetadata: false base64Supported: false @@ -4766,6 +4766,16 @@ hasExtendedMetadata: false base64Supported: false isduplicate: false +- provider: Weatherstack + supportedSecret: Weatherstack API Key + secretType: weatherstack_api_key + isPublic: false + isPrivateWithGhas: true + hasPushProtection: false + hasValidityCheck: false + hasExtendedMetadata: false + base64Supported: false + isduplicate: false - provider: Weights & Biases supportedSecret: Weights & Biases API Key secretType: wandb_api_key diff --git a/src/secret-scanning/data/pattern-docs/ghec/public-docs.yml b/src/secret-scanning/data/pattern-docs/ghec/public-docs.yml index 5adefd6e8bab..ae3b122c4359 100644 --- a/src/secret-scanning/data/pattern-docs/ghec/public-docs.yml +++ b/src/secret-scanning/data/pattern-docs/ghec/public-docs.yml @@ -1126,7 +1126,7 @@ supportedSecret: Baidu AI API Key secretType: baiduai_api_key isPublic: true - isPrivateWithGhas: false + isPrivateWithGhas: true hasPushProtection: false hasValidityCheck: false hasExtendedMetadata: false @@ -1697,7 +1697,7 @@ secretType: datadog_rcm isPublic: false isPrivateWithGhas: true - hasPushProtection: false + hasPushProtection: true hasValidityCheck: false hasExtendedMetadata: false base64Supported: false @@ -2561,7 +2561,7 @@ secretType: hubspot_private_apps_user_token isPublic: true isPrivateWithGhas: true - hasPushProtection: false + hasPushProtection: true hasValidityCheck: false hasExtendedMetadata: false base64Supported: false @@ -3411,7 +3411,7 @@ secretType: openweather_api_key isPublic: false isPrivateWithGhas: true - hasPushProtection: false + hasPushProtection: true hasValidityCheck: false hasExtendedMetadata: false base64Supported: false @@ -3781,7 +3781,7 @@ secretType: proctorio_consumer_key isPublic: true isPrivateWithGhas: true - hasPushProtection: false + hasPushProtection: true hasValidityCheck: false hasExtendedMetadata: false base64Supported: false @@ -3791,7 +3791,7 @@ secretType: proctorio_linkage_key isPublic: true isPrivateWithGhas: true - hasPushProtection: false + hasPushProtection: true hasValidityCheck: false hasExtendedMetadata: false base64Supported: false @@ -4766,6 +4766,16 @@ hasExtendedMetadata: false base64Supported: false isduplicate: false +- provider: Weatherstack + supportedSecret: Weatherstack API Key + secretType: weatherstack_api_key + isPublic: false + isPrivateWithGhas: true + hasPushProtection: false + hasValidityCheck: false + hasExtendedMetadata: false + base64Supported: false + isduplicate: false - provider: Weights & Biases supportedSecret: Weights & Biases API Key secretType: wandb_api_key