Group user docs on code security into a new "product" (#18196)

content/github/administering-a-repository/about-securing-your-repository.md → content/code-security/getting-started/about-securing-your-repository.md

@@ -1,6 +1,8 @@
 ---
 title: About securing your repository
 intro: '{% data variables.product.product_name %} provides a number of ways that you can help keep your repository secure.'
+redirect_from:
+  - /github/administering-a-repository/about-securing-your-repository
 versions:
   free-pro-team: '*'
   enterprise-server: '>=3.0'

content/code-security/getting-started/index.md

@@ -0,0 +1,13 @@
+---
+title: Getting started with code security
+shortTitle: Getting started
+intro: 'Introduction to code security with {% data variables.product.product_name %}.'
+versions:
+  free-pro-team: '*'
+  enterprise-server: '>=3.0'
+  github-ae: '*'
+---
+
+### Table of Contents
+
+{% link_in_list /about-securing-your-repository %}

content/code-security/index.md

@@ -0,0 +1,19 @@
+---
+title: Code security
+shortTitle: Code security
+intro: 'Learn how to keep the code stored in your repositories secure.'
+versions:
+  free-pro-team: '*'
+  enterprise-server: '>=3.0'
+  github-ae: '*'
+---
+
+{% link_with_intro /getting-started %}
+
+{% link_with_intro /secret-security %}
+
+{% link_with_intro /secure-coding %}
+
+{% link_with_intro /security-advisories %}
+
+{% link_with_intro /supply-chain-security %}

content/github/administering-a-repository/about-secret-scanning.md → content/code-security/secret-security/about-secret-scanning.md

@@ -6,6 +6,7 @@ redirect_from:
   - /github/administering-a-repository/about-token-scanning
   - /articles/about-token-scanning
   - /articles/about-token-scanning-for-private-repositories
+  - /github/administering-a-repository/about-secret-scanning
 versions:
   free-pro-team: '*'
   enterprise-server: '>=3.0'

content/github/administering-a-repository/configuring-secret-scanning-for-your-repositories.md → content/code-security/secret-security/configuring-secret-scanning-for-your-repositories.md

@@ -4,6 +4,7 @@ intro: 'You can configure how {% data variables.product.prodname_dotcom %} scans
 permissions: 'People with admin permissions to a repository can enable {% data variables.product.prodname_secret_scanning %} for the repository.'
 redirect_from:
   - /github/administering-a-repository/configuring-secret-scanning-for-private-repositories
+  - /github/administering-a-repository/configuring-secret-scanning-for-your-repositories
 product: '{% data reusables.gated-features.secret-scanning %}'
 versions:
   free-pro-team: '*'

content/code-security/secret-security/index.md

@@ -0,0 +1,16 @@
+---
+title: Keeping secrets secure
+shortTitle: Secret security
+intro: 'Let GitHub do the hard work of ensuring that tokens, private keys, and other code secrets are not exposed in your repository.'
+product: '{% data reusables.gated-features.secret-scanning %}'
+versions:
+  free-pro-team: '*'
+  enterprise-server: '>=3.0'
+  github-ae: '*'
+---
+
+### Table of Contents
+
+{% link_in_list /about-secret-scanning %}
+{% link_in_list /configuring-secret-scanning-for-your-repositories %}
+{% link_in_list /managing-alerts-from-secret-scanning %}

content/github/administering-a-repository/managing-alerts-from-secret-scanning.md → content/code-security/secret-security/managing-alerts-from-secret-scanning.md

@@ -2,6 +2,8 @@
 title: Managing alerts from secret scanning
 intro: You can view and close alerts for secrets checked in to your repository.
 product: '{% data reusables.gated-features.secret-scanning %}'
+redirect_from:
+   - /github/administering-a-repository/managing-alerts-from-secret-scanning
 versions:
   free-pro-team: '*'
   enterprise-server: '>=3.0'

content/code-security/secure-coding/about-code-scanning.md

@@ -0,0 +1,62 @@
+---
+title: About code scanning
+intro: 'You can use {% data variables.product.prodname_code_scanning %} to find security vulnerabilities and errors in the code for your project on {% data variables.product.prodname_dotcom %}.'
+product: '{% data reusables.gated-features.code-scanning %}'
+redirect_from:
+  - /github/finding-security-vulnerabilities-and-errors-in-your-code/about-code-scanning
+versions:
+  free-pro-team: '*'
+  enterprise-server: '>=3.0'
+  github-ae: '*'
+---
+
+{% data reusables.code-scanning.beta %}
+{% data reusables.code-scanning.enterprise-enable-code-scanning %}
+
+### About {% data variables.product.prodname_code_scanning %}
+
+{% data reusables.code-scanning.about-code-scanning %}
+
+You can use {% data variables.product.prodname_code_scanning %} to find, triage, and prioritize fixes for existing problems in your code. {% data variables.product.prodname_code_scanning_capc %} also prevents developers from introducing new problems. You can schedule scans for specific days and times, or trigger scans when a specific event occurs in the repository, such as a push.
+
+If {% data variables.product.prodname_code_scanning %} finds a potential vulnerability or error in your code, {% data variables.product.prodname_dotcom %} displays an alert in the repository. After you fix the code that triggered the alert, {% data variables.product.prodname_dotcom %} closes the alert. For more information, see "[Managing {% data variables.product.prodname_code_scanning %} alerts for your repository](/code-security/secure-coding/managing-code-scanning-alerts-for-your-repository)."
+
+To monitor results from {% data variables.product.prodname_code_scanning %} across your repositories or your organization, you can use webhooks and the {% data variables.product.prodname_code_scanning %} API. For information about the webhooks for {% data variables.product.prodname_code_scanning %}, see 
+"[Webhook events and payloads](/developers/webhooks-and-events/webhook-events-and-payloads#code_scanning_alert)." For information about API endpoints, see  "[{% data variables.product.prodname_code_scanning_capc %}](/rest/reference/code-scanning)." 
+
+To get started with {% data variables.product.prodname_code_scanning %}, see "[Setting up {% data variables.product.prodname_code_scanning %} for a repository](/code-security/secure-coding/setting-up-code-scanning-for-a-repository)."
+
+### About {% data variables.product.prodname_codeql %}
+
+You can use {% data variables.product.prodname_code_scanning %} with {% data variables.product.prodname_codeql %}, a semantic code analysis engine. {% data variables.product.prodname_codeql %} treats code as data, allowing you to find potential vulnerabilities in your code with greater confidence than traditional static analyzers. 
+
+{% data variables.product.prodname_ql %} is the query language that powers {% data variables.product.prodname_codeql %}. {% data variables.product.prodname_ql %} is an object-oriented logic programming language. {% data variables.product.company_short %}, language experts, and security researchers create the queries used for {% data variables.product.prodname_code_scanning %}, and the queries are open source. The community maintains and updates the queries to improve analysis and reduce false positives. For more information, see [{% data variables.product.prodname_codeql %}](https://securitylab.github.com/tools/codeql) on the GitHub Security Lab website.
+
+{% data variables.product.prodname_code_scanning_capc %} with {% data variables.product.prodname_codeql %} supports both compiled and interpreted languages, and can find vulnerabilities and errors in code that's written in the supported languages.
+
+{% data reusables.code-scanning.supported-languages %}
+
+You can view and contribute to the queries for {% data variables.product.prodname_code_scanning %} in the [`github/codeql`](https://github.com/github/codeql) repository. For more information, see [{% data variables.product.prodname_codeql %} queries](https://codeql.github.com/docs/writing-codeql-queries/codeql-queries/) in the {% data variables.product.prodname_codeql %} documentation.
+
+{% if currentVersion == "free-pro-team@latest" %}
+
+### About billing for {% data variables.product.prodname_code_scanning %}
+
+{% data variables.product.prodname_code_scanning_capc %} uses {% data variables.product.prodname_actions %}, and each run of a {% data variables.product.prodname_code_scanning %} workflow consumes minutes for {% data variables.product.prodname_actions %}. For more information, see "[About billing for {% data variables.product.prodname_actions %}](/github/setting-up-and-managing-billing-and-payments-on-github/about-billing-for-github-actions)."
+
+{% endif %}
+
+### About third-party code scanning tools
+
+{% data reusables.code-scanning.you-can-upload-third-party-analysis %}
+
+{% data reusables.code-scanning.interoperable-with-tools-that-output-sarif %}
+
+{% data reusables.code-scanning.get-started-uploading-third-party-data %}
+
+### Further reading
+
+{% if currentVersion == "free-pro-team@latest" or currentVersion ver_gt "[email protected]" %}
+- "[About securing your repository](/github/administering-a-repository/about-securing-your-repository)"{% endif %}
+- [{% data variables.product.prodname_security %}](https://securitylab.github.com/)
+- [OASIS Static Analysis Results Interchange Format (SARIF) TC](https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=sarif) on the OASIS Committee website

content/code-security/secure-coding/about-integration-with-code-scanning.md

@@ -0,0 +1,29 @@
+---
+title: About integration with code scanning
+shortTitle: About integration
+intro: 'You can perform {% data variables.product.prodname_code_scanning %} externally and then display the results in {% data variables.product.prodname_dotcom %}, or set up webhooks that listen to {% data variables.product.prodname_code_scanning %} activity in your repository.'
+product: '{% data reusables.gated-features.code-scanning %}'
+redirect_from:
+  - /github/finding-security-vulnerabilities-and-errors-in-your-code/about-integration-with-code-scanning
+versions:
+  free-pro-team: '*'
+  enterprise-server: '>=3.0'
+  github-ae: '*'
+---
+
+{% data reusables.code-scanning.beta %}
+{% data reusables.code-scanning.enterprise-enable-code-scanning %}
+
+As an alternative to running {% data variables.product.prodname_code_scanning %} within {% data variables.product.prodname_dotcom %}, you can perform analysis elsewhere and then upload the results. Alerts for {% data variables.product.prodname_code_scanning %} that you run externally are displayed in the same way as those for  {% data variables.product.prodname_code_scanning %} that you run within {% data variables.product.prodname_dotcom %}. For more information, see "[Managing {% data variables.product.prodname_code_scanning %} alerts for your repository](/code-security/secure-coding/managing-code-scanning-alerts-for-your-repository)."
+
+If you use a third-party static analysis tool that can produce results as Static Analysis Results Interchange Format (SARIF) 2.1.0 data, you can upload this to {% data variables.product.prodname_dotcom %}. For more information, see "[Uploading a SARIF file to GitHub](/code-security/secure-coding/uploading-a-sarif-file-to-github)."
+
+### Integrations with webhooks
+
+You can use {% data variables.product.prodname_code_scanning %} webhooks to build or set up integrations, such as [{% data variables.product.prodname_github_app %}s](/apps/building-github-apps/) or [{% data variables.product.prodname_oauth_app %}s](/apps/building-oauth-apps/), that subscribe to {% data variables.product.prodname_code_scanning %} events in your repository. For example, you could build an integration that creates an issue on {% data variables.product.product_name %} or sends you a Slack notification when a new {% data variables.product.prodname_code_scanning %} alert is added in your repository. For more information, see "[Creating webhooks](/developers/webhooks-and-events/creating-webhooks)" and "[Webhook events and payloads](/developers/webhooks-and-events/webhook-events-and-payloads#code_scanning_alert)."
+
+### Further reading
+
+* "[About {% data variables.product.prodname_code_scanning %}](/code-security/secure-coding/about-code-scanning)"
+* "[Using {% data variables.product.prodname_codeql %} {% data variables.product.prodname_code_scanning %} with your existing CI system](/code-security/secure-coding/using-codeql-code-scanning-with-your-existing-ci-system)"
+* "[SARIF support for {% data variables.product.prodname_code_scanning %}](/code-security/secure-coding/sarif-support-for-code-scanning)"

content/code-security/secure-coding/automatically-scanning-your-code-for-vulnerabilities-and-errors.md

@@ -0,0 +1,14 @@
+---
+title: Automatically scanning your code for vulnerabilities and errors
+shortTitle: Scanning automatically
+intro: 'You can find vulnerabilities and errors in your project''s code on {% data variables.product.prodname_dotcom %}, as well as view, triage, understand, and resolve the related {% data variables.product.prodname_code_scanning %} alerts.'
+mapTopic: true
+product: '{% data reusables.gated-features.code-scanning %}'
+redirect_from:
+  - /github/finding-security-vulnerabilities-and-errors-in-your-code/automatically-scanning-your-code-for-vulnerabilities-and-errors
+versions:
+  free-pro-team: '*'
+  enterprise-server: '>=3.0'
+  github-ae: '*'
+---
+