Skip to content

Repo sync #39353

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 6 commits into from
Jul 16, 2025
Merged

Repo sync #39353

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
51a689b
CCA updated firewall UI updates (#56555)
nhu-do Jul 16, 2025
5abb8c9
Security Configurations include "Default or Advanced" option for Code…
mchammer01 Jul 16, 2025
de78336
"Copilot creates issues" now supports issue forms [Public Preview] (#…
hubwriter Jul 16, 2025
66f6816
Update audit log event data (#56667)
docs-bot Jul 16, 2025
7eaa98c
Update OpenAPI Description (#56668)
docs-bot Jul 16, 2025
ad8707e
Configure british-english-quotes rule to only run in pre-commit (#56664)
heiskr Jul 16, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 4 additions & 2 deletions ...your-enterprise/creating-a-custom-security-configuration-for-your-enterprise.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -59,7 +59,8 @@ When creating a security configuration, keep in mind that:
* **Push protection**. To learn about push protection, see [AUTOTITLE](/code-security/secret-scanning/introduction/about-push-protection).{% ifversion security-delegated-alert-dismissal %}
* **Prevent direct alert dismissals**. To learn more, see [AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/enabling-delegated-alert-dismissal-for-secret-scanning).{% endif %}
1. Optionally, enable "{% data variables.product.prodname_code_security %}", a paid feature for private {% ifversion ghec %}and internal {% endif %} repositories. You can choose whether to enable, disable, or keep the existing settings for the following {% data variables.product.prodname_code_scanning %} features:
* **Default setup**. To learn more, see [AUTOTITLE](/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning#about-default-setup). {% ifversion code-scanning-default-setup-customize-labels %}
* **Default setup**. To learn more about default setup, see [AUTOTITLE](/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning#about-default-setup).
{% data reusables.code-scanning.enable-default-setup-allow-advanced-setup-note %}{% ifversion code-scanning-default-setup-customize-labels %}
* **Runner type**. If you want to target specific runners for {% data variables.product.prodname_code_scanning %}, you can choose to use custom-labeled runners at this step. See [AUTOTITLE](/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning#assigning-labels-to-runners).{% endif %} {% ifversion security-delegated-alert-dismissal %}
* **Prevent direct alert dismissals**. To learn more, see [AUTOTITLE](/code-security/code-scanning/managing-your-code-scanning-configuration/enabling-delegated-alert-dismissal-for-code-scanning).{% endif %}
1. Still under "{% data variables.product.prodname_code_security %}", in the "Dependency scanning" table, choose whether you want to enable, disable, or keep the existing settings for the following dependency scanning features:
Expand Down Expand Up @@ -97,7 +98,8 @@ When creating a security configuration, keep in mind that:
* **Push protection**. To learn about push protection, see [AUTOTITLE](/code-security/secret-scanning/introduction/about-push-protection).{% ifversion security-delegated-alert-dismissal %}
* **Prevent direct alert dismissals**. To learn more, see [AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/enabling-delegated-alert-dismissal-for-secret-scanning).{% endif %}
1. In the "{% data variables.product.prodname_code_scanning_caps %}" table, choose whether you want to enable, disable, or keep the existing settings for {% data variables.product.prodname_code_scanning %} default setup.
* **Default setup**. To learn more, see [AUTOTITLE](/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning#about-default-setup). {% ifversion code-scanning-default-setup-customize-labels %}
* **Default setup**. To learn more, see [AUTOTITLE](/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning#about-default-setup).
{% data reusables.code-scanning.enable-default-setup-allow-advanced-setup-note %}{% ifversion code-scanning-default-setup-customize-labels %}
* **Runner type**. If you want to target specific runners for {% data variables.product.prodname_code_scanning %}, you can choose to use custom-labeled runners at this step. See [AUTOTITLE](/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning#assigning-labels-to-runners).{% endif %} {% ifversion security-delegated-alert-dismissal %}
* **Prevent direct alert dismissals**. To learn more, see [AUTOTITLE](/code-security/code-scanning/managing-your-code-scanning-configuration/enabling-delegated-alert-dismissal-for-code-scanning).{% endif %}
1. In the "Dependency scanning" table, choose whether you want to enable, disable, or keep the existing settings for the following dependency scanning features:
Expand Down
6 changes: 4 additions & 2 deletions ...urity-features-in-your-organization/creating-a-custom-security-configuration.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -60,7 +60,8 @@ You can also choose whether or not you want to include {% data variables.product
* **Bypass privileges**. By assigning bypass privileges, selected organization members can bypass push protection, and there is a review and approval process for all other contributors. See [AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/about-delegated-bypass-for-push-protection).{% endif %}{% ifversion security-delegated-alert-dismissal %}
* **Prevent direct alert dismissals**. To learn more, see [AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/enabling-delegated-alert-dismissal-for-secret-scanning).{% endif %}
1. Optionally, enable "{% data variables.product.prodname_code_security %}", a paid feature for private {% ifversion ghec %}and internal {% endif %} repositories. You can choose whether to enable, disable, or keep the existing settings for the following {% data variables.product.prodname_code_scanning %} features:
* **Default setup**. To learn more, see [AUTOTITLE](/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning#about-default-setup). {% ifversion code-scanning-default-setup-customize-labels %}
* **Default setup**. To learn more about default setup, see [AUTOTITLE](/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning#about-default-setup).
{% data reusables.code-scanning.enable-default-setup-allow-advanced-setup-note %}{% ifversion code-scanning-default-setup-customize-labels %}
* **Runner type**. If you want to target specific runners for {% data variables.product.prodname_code_scanning %}, you can choose to use custom-labeled runners at this step. See [AUTOTITLE](/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning#assigning-labels-to-runners).{% endif %} {% ifversion security-delegated-alert-dismissal %}
* **Prevent direct alert dismissals**. To learn more, see [AUTOTITLE](/code-security/code-scanning/managing-your-code-scanning-configuration/enabling-delegated-alert-dismissal-for-code-scanning).{% endif %}
1. Still under "{% data variables.product.prodname_code_security %}", in the "Dependency scanning" table, choose whether you want to enable, disable, or keep the existing settings for the following dependency scanning features:
Expand Down Expand Up @@ -99,7 +100,8 @@ You can also choose whether or not you want to include {% data variables.product
* **Bypass privileges**. By assigning bypass privileges, selected organization members can bypass push protection, and there is a review and approval process for all other contributors. See [AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/about-delegated-bypass-for-push-protection).{% endif %}{% ifversion security-delegated-alert-dismissal %}
* **Prevent direct alert dismissals**. To learn more, see [AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/enabling-delegated-alert-dismissal-for-secret-scanning).{% endif %}
1. In the "{% data variables.product.prodname_code_scanning_caps %}" table, choose whether you want to enable, disable, or keep the existing settings for {% data variables.product.prodname_code_scanning %} default setup.
* **Default setup**. To learn more, see [AUTOTITLE](/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning#about-default-setup). {% ifversion code-scanning-default-setup-customize-labels %}
* **Default setup**. To learn more about default setup, see [AUTOTITLE](/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning#about-default-setup).
{% data reusables.code-scanning.enable-default-setup-allow-advanced-setup-note %}{% ifversion code-scanning-default-setup-customize-labels %}
* **Runner type**. If you want to target specific runners for {% data variables.product.prodname_code_scanning %}, you can choose to use custom-labeled runners at this step. See [AUTOTITLE](/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning#assigning-labels-to-runners).{% endif %} {% ifversion security-delegated-alert-dismissal %}
* **Prevent direct alert dismissals**. To learn more, see [AUTOTITLE](/code-security/code-scanning/managing-your-code-scanning-configuration/enabling-delegated-alert-dismissal-for-code-scanning).{% endif %}
1. In the "Dependency scanning" table, choose whether you want to enable, disable, or keep the existing settings for the following dependency scanning features:
Expand Down
9 changes: 5 additions & 4 deletions ...curity-configurations/a-repository-is-using-advanced-setup-for-code-scanning.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
---
title: A repository is using advanced setup for code scanning
shortTitle: Active advanced setup
intro: 'You cannot attach a {% data variables.product.prodname_security_configuration %} with code scanning enabled to repositories that are using advanced setup for code scanning.'
intro: 'You see an error when you try to attach a {% data variables.product.prodname_security_configuration %} with default code scanning enabled to repositories that use advanced setup for code scanning.'
permissions: '{% data reusables.permissions.security-org-enable %}'
versions:
feature: security-configurations
Expand All @@ -15,9 +15,9 @@ topics:

## About the problem

You cannot successfully apply a {% data variables.product.prodname_security_configuration %} with {% data variables.product.prodname_code_scanning %} default setup enabled to a target repository that uses advanced setup for {% data variables.product.prodname_code_scanning %}. Advanced setups are tailored to the specific security needs of their repositories, so they are not intended to be overridden at scale.
You cannot successfully apply a {% data variables.product.prodname_security_configuration %} with {% data variables.product.prodname_code_scanning %} default setup set to "Enabled" to a target repository that uses advanced setup for {% data variables.product.prodname_code_scanning %}. Advanced setups are tailored to the specific security needs of their repositories, so they are not intended to be overridden at scale.

If you try to attach a {% data variables.product.prodname_security_configuration %} with {% data variables.product.prodname_code_scanning %} enabled to a repository already using advanced setup, security settings will be applied as follows:
If you try to attach a {% data variables.product.prodname_security_configuration %} with {% data variables.product.prodname_code_scanning %} set to "Enabled" to a repository that already uses advanced setup, security settings will be applied as follows:

* **{% data variables.product.prodname_code_scanning_caps %} default setup will not be enabled**, and advanced setup will continue to run as normal.
* **All other security features enabled in the configuration will be enabled.**
Expand All @@ -33,7 +33,8 @@ For all repositories without an active advanced setup, the {% data variables.pro

## Solving the problem

There are two ways you can solve this problem:
There are three ways you could solve this problem:

1. **Change the Default setup option from "Enabled" to "Enabled with advanced setup allowed"** in the {% data variables.product.prodname_security_configuration %}. _Option available from {% data variables.product.prodname_ghe_server %} 3.19._ After editing your {% data variables.product.prodname_security_configuration %}, reapply it to the repositories. For more information, see [AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization/applying-a-custom-security-configuration).
1. **Update the affected repositories to use default setup** for {% data variables.product.prodname_code_scanning %} at the repository level and then reapply your {% data variables.product.prodname_security_configuration %} to the repositories. For more information, see [AUTOTITLE](/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning).
1. **Create a new custom {% data variables.product.prodname_security_configuration %}** that does not include a setting for {% data variables.product.prodname_code_scanning %} and apply this {% data variables.product.prodname_security_configuration %} to repositories that use advanced setup. For more information, see [AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization/creating-a-custom-security-configuration).
29 changes: 20 additions & 9 deletions ...-coding-agent/customizing-or-disabling-the-firewall-for-copilot-coding-agent.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,8 @@ redirect_from:
> {% data reusables.copilot.coding-agent.preview-note-text %}
>
> For an introduction to {% data variables.copilot.copilot_coding_agent %}, see [AUTOTITLE](/copilot/concepts/about-copilot-coding-agent).
>
> Firewall configuration has moved to the {% data variables.copilot.copilot_coding_agent %} settings page. Previous configurations saved as Actions variables will be maintained on that page.

## Overview

Expand All @@ -30,30 +32,39 @@ If {% data variables.product.prodname_copilot_short %} tries to make a request w

## Allowlisting additional hosts in the agent's firewall

You can allowlist additional addresses in the agent's firewall by setting the `COPILOT_AGENT_FIREWALL_ALLOW_LIST_ADDITIONS` {% data variables.product.prodname_actions %} variable to a comma-separated list. In that list, you can include:
You can allowlist additional addresses in the agent's firewall.

{% data reusables.repositories.navigate-to-repo %}
{% data reusables.repositories.sidebar-settings %}
1. In the "Code & automation" section of the sidebar, click **{% data variables.product.prodname_copilot_short %}** then **{% data variables.copilot.copilot_coding_agent_short %}**.
1. Click **Custom allowlist**
1. Add the addresses you want to include in the allow list. You can include:

* **Domains** (for example, `packages.contoso.corp`). Traffic will be allowed to the specified domain and any subdomains.

* **Domains** (for example, `packages.contoso.corp`), in which case traffic will be allowed to that domain and any subdomains.
**Example**: `packages.contoso.corp` will allow traffic to `packages.contoso.corp` and `prod.packages.contoso.corp`, but not `artifacts.contoso.corp`.

**Example**: `packages.contoso.corp` would allow traffic to `packages.contoso.corp` and `prod.packages.contoso.corp`, but not `artifacts.contoso.corp`.
* **URLs** (for example, `https://packages.contoso.corp/project-1/`). Traffic will only be allowed on the specified scheme (`https`) and host (`packages.contoso.corp`), and limited to the specified path and descendant paths.

* **URLs** (for example, `https://packages.contoso.corp/project-1/`), in which case traffic will only be allowed on the specified scheme (`https`) and host (`packages.contoso.corp`), and limited to the specified path and descendant paths.
**Example**: `https://packages.contoso.corp/project-1/` will allow traffic to `https://packages.contoso.corp/project-1/` and `https://packages.contoso.corp/project-1/tags/latest`, but not `https://packages.consoto.corp/project-2`, `ftp://packages.contoso.corp` or `https://artifacts.contoso.corp`.

**Example**: `https://packages.contoso.corp/project-1/` would allow traffic to `https://packages.contoso.corp/project-1/` and `https://packages.contoso.corp/project-1/tags/latest`, but not `https://packages.consoto.corp/project-2`, `ftp://packages.contoso.corp` or `https://artifacts.contoso.corp`.
1. Click **Add Rule**.
1. After validating your list, click **Save changes**.

## Overwriting the firewall allowlist
## Overwriting the recommended firewall allowlist

By default, the firewall allows access to a number of hosts that are commonly used to download dependencies or that {% data variables.product.prodname_copilot_short %} uses to interact with {% data variables.product.github %}.

To completely clear this default allowlist and start again from scratch, set the `COPILOT_AGENT_FIREWALL_ALLOW_LIST` {% data variables.product.prodname_actions %} variable to a comma-separated list of hosts.
To disable this, toggle the **Recommended allowlist** setting **off**.

For example, to _only_ allow access to `packages.contoso.corp` and `artifacts.contoso.corp`, set the `COPILOT_AGENT_FIREWALL_ALLOW_LIST` variable to `packages.contoso.corp,artifacts.contoso.corp`.
To use the recommended allowlist in addition to your own allowlist, keep the **Recommended allowlist** setting **on**, and add your additional addresses in the **Custom allowlist** page.

### Disabling the firewall

> [!WARNING]
> Disabling the firewall will allow {% data variables.product.prodname_copilot_short %} to connect to any host, increasing risks of exfiltration of code or other sensitive information.

The firewall is enabled by default. To disable the firewall, set the `COPILOT_AGENT_FIREWALL_ENABLED` {% data variables.product.prodname_actions %} variable to `false`.
The firewall is enabled by default. To disable the firewall, toggle the **Enable firewall** setting to **off**.

## Further reading

Expand Down
Loading
Loading