Copilot secret scanning - generic secret detection [GA] github#15175 (#52605)

Co-authored-by: mc <[email protected]>
Co-authored-by: Courtney Claessens <[email protected]>

Author: 3 people

content/admin/enforcing-policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-code-security-and-analysis-for-your-enterprise.md

@@ -118,9 +118,9 @@ Across all of your enterprise's organizations, you can allow or disallow people
 
 {% ifversion secret-scanning-ai-generic-secret-detection %}
 
-## Enforcing a policy to manage the use of generic secret detection for {% data variables.product.prodname_secret_scanning %} in your enterprise's repositories
+## Enforcing a policy to manage the use of {% data variables.secret-scanning.generic-secret-detection %} for {% data variables.product.prodname_secret_scanning %} in your enterprise's repositories
 
-Across all of your enterprise's organizations, you can allow or disallow people with admin access to repositories to manage and configure generic secret detection for {% data variables.product.prodname_secret_scanning %} for the repositories. {% data reusables.advanced-security.ghas-must-be-enabled %}
+Across all of your enterprise's organizations, you can allow or disallow people with admin access to repositories to manage and configure AI detection in {% data variables.product.prodname_secret_scanning %} for the repositories. {% data reusables.advanced-security.ghas-must-be-enabled %}
 
 {% data reusables.enterprise-accounts.access-enterprise %}
 {% data reusables.enterprise-accounts.policies-tab %}

content/code-security/secret-scanning/copilot-secret-scanning/enabling-ai-powered-generic-secret-detection.md

@@ -0,0 +1,48 @@
+---
+title: Enabling Copilot secret scanning's generic secret detection
+shortTitle: Enable generic secret detection
+intro: 'You can enable {% data variables.secret-scanning.generic-secret-detection %} for your repository or organization. Alerts for generic secrets, such as passwords, are displayed in a separate list on the {% data variables.product.prodname_secret_scanning %} alerts page.'
+allowTitleToDifferFromFilename: true
+versions:
+  feature: secret-scanning-ai-generic-secret-detection
+product: '{% data reusables.gated-features.secret-scanning %}'
+type: how_to
+topics:
+  - Secret scanning
+  - Advanced Security
+  - AI
+  - Copilot
+redirect_from:
+  - /code-security/secret-scanning/enabling-ai-powered-generic-secret-detection
+  - /code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/generic-secret-detection/enabling-ai-powered-generic-secret-detection
+---
+
+## Enabling {% data variables.secret-scanning.generic-secret-detection %}
+
+{% data reusables.secret-scanning.generic-secret-detection-policy-note %}
+
+You can then enable {% data variables.secret-scanning.generic-secret-detection %} in the security settings page of your repository or organization.
+
+{% data reusables.secret-scanning.copilot-secret-scanning-generic-secrets-subscription-note %}
+
+### Enabling {% data variables.secret-scanning.generic-secret-detection %} for your repository
+
+{% data reusables.repositories.navigate-to-repo %}
+{% data reusables.repositories.sidebar-settings %}
+{% data reusables.repositories.navigate-to-code-security-and-analysis %}
+{% data reusables.repositories.navigate-to-ghas-settings %}
+1. Under "Secret scanning", select the checkbox next to "Scan for generic secrets".
+
+### Enabling {% data variables.secret-scanning.generic-secret-detection %} for your organization
+
+{% data reusables.profile.access_org %}
+{% data reusables.profile.org_settings %}
+1. In the "Security" section of the sidebar, click **{% octicon "codescan" aria-hidden="true" %} Code security** then **Global settings**.
+1. Under "Secret scanning", select the checkbox next to "Scan for generic secrets".
+
+For information on how to view alerts for generic secrets that have been detected using AI, see "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/viewing-alerts)."
+
+## Further reading
+
+* [AUTOTITLE](/code-security/secret-scanning/copilot-secret-scanning/responsible-ai-generic-secrets)
+* [AUTOTITLE](/code-security/secret-scanning/introduction/about-secret-scanning)

content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/generating-regular-expressions-for-custom-patterns-with-ai.md content/code-security/secret-scanning/copilot-secret-scanning/generating-regular-expressions-for-custom-patterns-with-ai.md

@@ -10,12 +10,16 @@ topics:
   - Advanced Security
   - Secret scanning
   - AI
+  - Copilot
 redirect_from:
   - /code-security/secret-scanning/generating-regular-expressions-for-custom-patterns-with-ai
+  - /code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/generating-regular-expressions-for-custom-patterns-with-ai
 ---
 
 ## Generating a regular expression for a repository with AI
 
+{% data reusables.secret-scanning.copilot-secret-scanning-expression-generator-subscription-note %}
+
 {% data reusables.repositories.navigate-to-repo %}
 {% data reusables.repositories.sidebar-settings %}
 {% data reusables.repositories.navigate-to-code-security-and-analysis %}
@@ -44,4 +48,4 @@ redirect_from:
 
 ## Further reading
 
-* "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/responsible-use-ai-regex-generator)"
+* "[AUTOTITLE](/code-security/secret-scanning/copilot-secret-scanning/responsible-use-ai-regex-generator)"

content/code-security/secret-scanning/copilot-secret-scanning/index.md

@@ -0,0 +1,21 @@
+---
+title: Enhance your secret detection capabilities with Copilot secret scanning
+shortTitle: Copilot secret scanning
+allowTitleToDifferFromFilename: true
+intro: 'Learn how {% data variables.product.prodname_secret_scanning %} uses AI to detect generic secrets in your code, and generate regular expressions for your custom patterns.'
+product: '{% data reusables.gated-features.secret-scanning %}'
+versions:
+  ghec: '*'
+topics:
+  - Secret scanning
+  - Advanced Security
+  - Repositories
+  - Copilot
+children:
+  - /responsible-ai-generic-secrets
+  - /enabling-ai-powered-generic-secret-detection
+  - /responsible-use-ai-regex-generator
+  - /generating-regular-expressions-for-custom-patterns-with-ai
+redirect_from:
+  - /code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/generic-secret-detection
+---

content/code-security/secret-scanning/copilot-secret-scanning/responsible-ai-generic-secrets.md

@@ -0,0 +1,101 @@
+---
+title: Responsible detection of generic secrets with Copilot secret scanning
+shortTitle: Generic secret detection
+intro: 'Learn how {% data variables.secret-scanning.copilot-secret-scanning %} uses AI responsibly to scan and create alerts for unstructured secrets, such as passwords.'
+allowTitleToDifferFromFilename: true
+versions:
+  feature: secret-scanning-ai-generic-secret-detection
+  fpt: '*'
+type: rai
+topics:
+  - Secret scanning
+  - Advanced Security
+  - AI
+  - Copilot
+redirect_from:
+  - /code-security/secret-scanning/about-the-detection-of-generic-secrets-with-secret-scanning
+  - /code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/generic-secret-detection/about-the-detection-of-generic-secrets-with-secret-scanning
+  - /code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/generic-secret-detection/responsible-ai-generic-secrets
+---
+
+<!--Note on the versioning above ^. This article is visible to free, pro, team users for transparency. They cannot use the feature so `fpt` is not included in the feature definition.-->
+
+## About {% data variables.secret-scanning.generic-secret-detection %} with {% data variables.secret-scanning.copilot-secret-scanning %}
+
+{% data variables.secret-scanning.copilot-secret-scanning %}'s {% data variables.secret-scanning.generic-secret-detection %} is an AI-powered expansion of {% data variables.product.prodname_secret_scanning %} that identifies unstructured secrets (passwords) in your source code and then generates an alert.
+
+{% data reusables.rai.secret-scanning.copilot-secret-scanning-generic-secrets-subscription-note %}
+
+{% data variables.product.prodname_GH_advanced_security %} users can already receive {% data variables.secret-scanning.alerts %} for partner or custom patterns found in their source code, but unstructured secrets are not easily discoverable. {% data variables.secret-scanning.copilot-secret-scanning %} uses large language models (LLMs) to identify this type of secret.
+
+When a password is detected, an alert is displayed in the "Experimental" list of {% data variables.product.prodname_secret_scanning %} alerts (under the **Security** tab of the repository, organization, or enterprise), so that maintainers and security managers can review the alert and, where necessary, remove the credential or implement a fix.
+
+{% data reusables.rai.secret-scanning.generic-secret-detection-policy-note %} The feature must then be enabled for repositories and organizations.
+
+### Input processing
+
+Input is limited to text (typically code) that a user has checked into a repository. The system provides this text to the LLM along with a meta prompt asking the LLM to find passwords within the scope of the input. The user does not interact with the LLM directly.
+
+The system scans for passwords using the LLM. No additional data is collected by the system, other than what is already collected by the existing {% data variables.product.prodname_secret_scanning %} feature.
+
+### Output and display
+
+The LLM scans for strings that resemble passwords and verifies that the identified strings included in the response actually exist in the input.
+
+These detected strings are surfaced as alerts on the {% data variables.product.prodname_secret_scanning %} alerts page, but they are displayed in an additional list that is separate from regular {% data variables.secret-scanning.alerts %}. The intent is that this separate list is triaged with more scrutiny to verify the validity of the findings. Each alert notes that it was detected using AI. {% ifversion secret-scanning-ai-generic-secret-detection %}For information on how to view alerts for generic secrets, see "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/viewing-alerts)."{% endif %}
+
+## Improving the performance of {% data variables.secret-scanning.generic-secret-detection %}
+
+To improve the performance of {% data variables.secret-scanning.generic-secret-detection %}, we recommend closing false positive alerts appropriately.
+
+### Verify the accuracy of alerts and close as appropriate
+
+Since {% data variables.secret-scanning.copilot-secret-scanning %}'s {% data variables.secret-scanning.generic-secret-detection %} may generate more false positives than the existing {% data variables.product.prodname_secret_scanning %} feature for partner patterns, it's important that you review the accuracy of these alerts. When you verify an alert to be a false positive, be sure to close the alert and mark the reason as "False positive" in the {% data variables.product.prodname_dotcom %} UI. The {% data variables.product.prodname_dotcom %} development team will use information on false positive volume and detection locations to improve the model. {% data variables.product.prodname_dotcom %} does not have access to the secret literals themselves.
+
+## Limitations of {% data variables.secret-scanning.generic-secret-detection %}
+
+When using {% data variables.secret-scanning.copilot-secret-scanning %}'s {% data variables.secret-scanning.generic-secret-detection %}, you should consider the following limitations.
+
+### Limited scope
+
+{% data variables.secret-scanning.generic-secret-detection-caps %} currently only looks for instances of passwords in git content. The feature does not look for other types of generic secrets, and it does not look for secrets in non-git content, such as {% data variables.product.prodname_github_issues %}.
+
+### Potential for false positive alerts
+
+{% data variables.secret-scanning.generic-secret-detection-caps %} may generate more false positive alerts when compared to the existing {% data variables.product.prodname_secret_scanning %} feature (which detects partner patterns, and which has a very low false positive rate). To mitigate this excess noise, alerts are grouped in a separate list from partner pattern alerts, and security managers and maintainers should triage each alert to verify its accuracy.
+
+### Potential for incomplete reporting
+
+{% data variables.secret-scanning.generic-secret-detection-caps %} may miss instances of credentials checked into a repository. The LLM will improve over time. You retain ultimate responsibility for ensuring the security of your code.
+
+### Limitations by design
+
+{% data variables.secret-scanning.generic-secret-detection-caps %} has the following limitations by design:
+
+* {% data variables.secret-scanning.copilot-secret-scanning %} will not detect secrets that are obviously fake or test passwords, or passwords with low entropy.
+* {% data variables.secret-scanning.copilot-secret-scanning %} will only detect a maximum of 100 passwords per push.
+* If five or more detected secrets within a single file are marked as false positive, {% data variables.secret-scanning.copilot-secret-scanning %} will stop generating new alerts for that file.
+* {% data variables.secret-scanning.copilot-secret-scanning %} does not detect secrets in generated or vendored files.
+* {% data variables.secret-scanning.copilot-secret-scanning %} does not detect secrets in encrypted files.
+* {% data variables.secret-scanning.copilot-secret-scanning %} does not detect secrets in file types: SVG, PNG, JPEG, CSV, TXT, SQL, or ITEM.
+* {% data variables.secret-scanning.copilot-secret-scanning %} does not detect secrets in test code. {% data variables.secret-scanning.copilot-secret-scanning %} skips detections where:
+   * The file path contains "test", "mock", or "spec".
+   * The file extension is `.cs`, `.go`, `.java`, `.js`, `.kt`, `.php`, `.py`, `.rb`, `.scala`, `.swift`, or `.ts`.
+
+## Evaluation of {% data variables.secret-scanning.generic-secret-detection %}
+
+{% data variables.secret-scanning.generic-secret-detection-caps %} has been subject to Responsible AI Red Teaming and {% data variables.product.prodname_dotcom %} will continue to monitor the efficacy and safety of the feature over time.
+
+{% ifversion secret-scanning-ai-generic-secret-detection %}
+
+## Next steps
+
+* [AUTOTITLE](/code-security/secret-scanning/copilot-secret-scanning/enabling-ai-powered-generic-secret-detection)
+* [AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning)
+
+{% endif %}
+
+## Further reading
+
+* [AUTOTITLE](/code-security/secret-scanning/introduction/about-secret-scanning){% ifversion ghec %}
+* [AUTOTITLE](/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-code-security-and-analysis-for-your-enterprise#enforcing-a-policy-to-manage-the-use-of-generic-secret-detection-for-secret-scanning-in-your-enterprises-repositories){% endif %}

content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/responsible-use-ai-regex-generator.md content/code-security/secret-scanning/copilot-secret-scanning/responsible-use-ai-regex-generator.md

@@ -12,10 +12,12 @@ topics:
   - Advanced Security
   - Secret scanning
   - AI
+  - Copilot
 redirect_from:
   - /code-security/secret-scanning/about-the-regular-expression-generator-for-custom-patterns
   - /code-security/secret-scanning/about-generating-regular-expressions-with-ai
   - /code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/about-generating-regular-expressions-with-ai
+  - /code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/responsible-use-ai-regex-generator
 ---
 
 <!--Note on the versioning above ^. This article is visible to free, pro, team users for transparency. They cannot use the feature so `fpt` is not included in the feature definition.-->
@@ -24,6 +26,8 @@ redirect_from:
 
 {% data variables.product.prodname_secret_scanning_caps %} scans repositories for a predefined set of secrets from our partner program, as well as custom patterns that are user-defined. Custom patterns are formatted as regular expressions.
 
+{% data reusables.rai.secret-scanning.copilot-secret-scanning-expression-generator-subscription-note %}
+
 Regular expressions can be challenging for people to write. The {% data variables.secret-scanning.custom-pattern-regular-expression-generator %} makes it possible for you to define your custom patterns without knowledge of regular expressions. Within the existing custom pattern page, you can launch a generative AI experience where you input a text description of what pattern you would like to detect, include optional example strings that should be detected, and get matching regular expressions in return.
 
 ### Input processing
@@ -60,7 +64,7 @@ Note that the {% data variables.secret-scanning.custom-pattern-regular-expressio
 
 ## Next steps
 
-* [AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/generating-regular-expressions-for-custom-patterns-with-ai)
+* [AUTOTITLE](/code-security/secret-scanning/copilot-secret-scanning/generating-regular-expressions-for-custom-patterns-with-ai)
 * [AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning)
 {% endif %}
 

content/code-security/secret-scanning/index.md

@@ -20,6 +20,7 @@ children:
   - /managing-alerts-from-secret-scanning
   - /working-with-secret-scanning-and-push-protection
   - /using-advanced-secret-scanning-and-push-protection-features
+  - /copilot-secret-scanning
   - /troubleshooting-secret-scanning-and-push-protection
   - /secret-scanning-partnership-program
 ---

content/code-security/secret-scanning/introduction/about-secret-scanning.md

@@ -104,14 +104,6 @@ Scan for and detect secrets that are not specific to a service provider, such as
 
 {% endif %}
 
-{% ifversion secret-scanning-ai-generic-secret-detection %}
-
-### Generic secret detection
-
-Leverage {% data variables.product.prodname_secret_scanning %}'s AI capabilities to detect unstructured secrets, such as passwords, in your repository. For more information, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/generic-secret-detection/responsible-ai-generic-secrets)."
-
-{% endif %}
-
 ### Performing validity checks
 
 Validity checks help you prioritize alerts by telling you which secrets are `active` or `inactive`. For more information, see{% ifversion secret-scanning-validity-check-partner-patterns %} "[AUTOTITLE](/code-security/secret-scanning/enabling-secret-scanning-features/enabling-validity-checks-for-your-repository)" and{% endif %} "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts#checking-a-secrets-validity)."
@@ -122,11 +114,14 @@ Validity checks help you prioritize alerts by telling you which secrets are `act
 
 Define your own patterns for secrets used by your organization that {% data variables.product.prodname_secret_scanning %} can scan for and detect. For more information, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning)."
 
-{% ifversion secret-scanning-custom-pattern-ai-generated %}
+{% endif %}
 
-You can also leverage AI to generate regular expressions that will capture all your custom patterns. For more information, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/responsible-use-ai-regex-generator)."
+{% ifversion secret-scanning-ai-generic-secret-detection %}
 
-{% endif %}
+### {% data variables.secret-scanning.copilot-secret-scanning %}
+
+* **{% data variables.secret-scanning.generic-secret-detection-caps %}**: Leverage {% data variables.product.prodname_secret_scanning %}'s AI capabilities to detect unstructured secrets, such as passwords, in your repository. For more information, see "[AUTOTITLE](/code-security/secret-scanning/copilot-secret-scanning/responsible-ai-generic-secrets)."{% ifversion secret-scanning-custom-pattern-ai-generated %}
+* **{% data variables.secret-scanning.custom-pattern-regular-expression-generator-caps %}**: Leverage {% data variables.product.prodname_secret_scanning %}'s AI capabilities to generate regular expressions that will capture all your custom patterns. For more information, see "[AUTOTITLE](/code-security/secret-scanning/copilot-secret-scanning/responsible-use-ai-regex-generator).{% endif %}
 
 {% endif %}