Security campaigns with Copilot Autofix [GA] #16444 (#55094)

Co-authored-by: mc <[email protected]>

Author: am-stead

assets/images/help/security/driver-sec-campaign-view.png

@@ -0,0 +1,121 @@
+---
+title: Best practices for participating in a security campaign
+shortTitle: Best practices for campaigns
+intro: 'Learn how you can successfully take part in a security campaign and how it can benefit your career as well as your code.'
+allowTitleToDifferFromFilename: true
+permissions: '{% data reusables.permissions.code-scanning-all-alerts %}'
+product: '{% data reusables.gated-features.security-campaigns %}'
+type: how_to
+versions:
+  feature: security-campaigns
+topics:
+  - Code Security
+  - Code scanning
+  - Alerts
+  - Repositories
+---
+
+## What is a security campaign
+
+A security campaign is a group of security alerts, detected in the default branches of repositories, chosen by an organization owner or security manager for remediation.
+
+You can take part in a security campaign by fixing one or more of the alerts included in the campaign.
+
+## What are the benefits of participating in a campaign
+
+In addition to the benefit of removing an important security problem from your organization's codebase, alerts in a security campaign have several other benefits compared with fixing another alert in your repository.
+
+* You have a campaign manager on the security team to collaborate with and a specific contact link for discussing campaign activities.
+* You know that you are fixing a security alert that is important to the company.
+* Potentially, you may have access to targeted training materials.{% ifversion security-campaigns-autofix %}
+* You don't need to request a {% data variables.product.prodname_copilot_autofix %} suggestion, it is already available as a starting point.{% endif %}{% ifversion copilot %}
+* If you have access to {% data variables.product.prodname_copilot_chat %}, you can ask questions about the alert and the suggested fix.{% endif %}
+* You are improving and demonstrating your knowledge of secure coding.
+
+Adopting a few key best practices can help you participate successfully in a campaign.
+
+## Stay informed
+
+### Notification settings
+
+To receive email updates about security campaigns in repositories you have write access to, make sure that you:
+
+* **Watch** all repositories that you have write access to.
+* **Subscribe** to notifications for "All activity" or "Security alerts".
+
+### View campaign details
+
+When you open the **Security** tab for a repository with one or more campaign alerts, you can see the campaign name in the sidebar of the view. Click the campaign name to see the list of alerts included in the campaign and summary information on how the campaign is progressing.
+
+### Campaign-generated {% data variables.product.prodname_github_issues %}
+
+Some campaigns automatically create {% data variables.product.prodname_github_issues %} for each repository which details the campaign managers, contact URL, and due date.
+
+You can use this issue to plan and track campaign work as part of your usual workflows, such as:
+
+* Adding the issue to project boards
+* Adding assignees
+* Creating sub-issues or tasklists
+
+## Seek context
+
+Your security team may provide you with specific training ahead of participating in a campaign, so that you feel equipped to address the alerts included in the campaign.
+
+If no formal training program is available, you can request that the campaign manager shares information on:
+
+* Types of security vulnerabilities included in the campaign
+* Examples of how to fix them
+* How to test the fixes
+
+In addition, there are external resources for understanding common security issues:
+
+* The **OWASP Foundation** provides many resources for learning about the most common vulnerabilities, see [About the OWASP Foundation](https://owasp.org/about/).
+* The **MITRE Corporation** maintains a detailed list of common weaknesses, see [About CWE](https://cwe.mitre.org/about/index.html).
+
+## Group similar alerts
+
+When fixing security alerts as part of a campaign, it may be helpful to group and fix similar alerts together. By doing so, you can develop a deeper understanding of the underlying issue. As you gain confidence and efficiency in resolving a specific type of alert, it makes it easier and faster for you to resolve subsequent alerts.
+
+{% ifversion copilot %}
+
+## Leverage {% data variables.product.prodname_copilot_short %}
+
+{% ifversion code-scanning-autofix %}
+
+### {% data variables.product.prodname_copilot_autofix_short %}
+
+{% data variables.product.prodname_copilot_autofix_short %} is automatically triggered for alerts that are included in a campaign, meaning that where possible, fixes are automatically generated for you. You can commit the suggested fix to resolve the alert and then verify that continuous integration testing (CI) for the codebase is still passing. See [AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/fixing-alerts-in-security-campaign).
+
+### {% data variables.product.prodname_copilot_chat_short %}
+
+{% endif %}
+
+You can ask {% data variables.product.prodname_copilot_chat_short %} for help in understanding the vulnerability, the suggested fix, and how to test that the fix is comprehensive. To access {% data variables.product.prodname_copilot_chat_short %}, navigate to https://github.com/copilot.
+
+Alternatively, when viewing a specific alert, in the top right corner of the page, click the {% data variables.product.prodname_copilot_chat_short %} icon ({% octicon "copilot" aria-hidden="true" %}) to open a chat window, and ask {% data variables.product.prodname_copilot_short %} questions about the alert.
+
+For example:
+
+   ```text copy
+
+   Explain how this alert introduces a vulnerability into the code.
+
+   ```
+
+If you don't already have access to {% data variables.product.prodname_copilot_chat_short %} through your organization{% ifversion ghec %} or enterprise{% endif %}, you can sign up to {% data variables.product.prodname_copilot_free %}. For more information, see [AUTOTITLE](/copilot/managing-copilot/managing-copilot-as-an-individual-subscriber/managing-copilot-free/accessing-github-copilot-free).
+
+{% endif %}
+
+## Ask questions
+
+A security campaign will generally include a contact URL, which might link you to the campaign manager, an open forum (such as a {% data variables.product.github %} Discussion), or a website of resources. You should use this space to ask questions about the campaign or specific alerts, find useful resources, and share knowledge.
+
+To find the contact URL:
+
+1. Open the **Security** tab for your repository.
+1. On the left sidebar, click the name of the campaign you are participating in.
+1. On the campaign tracking page, to the right of the campaign manager's name, click **{% octicon "comment" aria-hidden="true" %}**.
+
+## Next steps
+
+* [AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/fixing-alerts-in-security-campaign)

assets/images/help/security/security-campaigns-tracking-overview.png

@@ -1,7 +1,7 @@
 ---
 title: Fixing alerts in a security campaign
 shortTitle: Fix alerts in campaign
-intro: 'Learn how you can take part in a security campaign and how it can benefit your career as well as your code.'
+intro: 'Learn how to find and fix alerts in a security campaign.'
 allowTitleToDifferFromFilename: true
 permissions: '{% data reusables.permissions.code-scanning-all-alerts %}'
 product: '{% data reusables.gated-features.security-campaigns %}'
@@ -14,32 +14,14 @@ topics:
   - Alerts
   - Repositories
 ---
-{% data reusables.security-campaigns.preview-note %}
-
-## What is a security campaign
-
-A security campaign is a group of security alerts, detected in the default branches of repositories, chosen by an organization owner or security manager for remediation. When a security campaign is created with alerts in repositories that you have write access to, you are notified if you subscribe to email notifications for "All activity" or "Security alerts". In addition, when you open the **Security** tab for a repository with one or more campaign alerts, you can see the campaign name in the sidebar of the view.
-
-You can take part in a security campaign by fixing one or more of the alerts chosen for the campaign.
-
-## What are the benefits of fixing alerts in a campaign
-
-In addition to the benefit of removing an important security problem from your code, alerts in a security campaign have several other benefits compared with fixing another alert in your repository.
-
-* You have a campaign manager on the security team to collaborate with and a specific contact link for discussing campaign activities.
-* You know that you are fixing a security alert that is important to the company.
-* Potentially, you may have access to targeted training materials.{% ifversion security-campaigns-autofix %}
-* You don't need to request a {% data variables.product.prodname_copilot_autofix %} suggestion, it is already available as a starting point.{% endif %}{% ifversion copilot %}
-* If you have access to {% data variables.product.prodname_copilot_chat %}, you can ask questions about the alert and the suggested fix.{% endif %}
-* You are improving and demonstrating your knowledge of secure coding.
 
 ## Viewing alerts in a security campaign
 
 When a campaign targets security alerts in a repository that you have write access to, you can navigate to the list of repository alerts in the campaign.
 
-* Display the **Security** tab for the repository and click one of the campaigns under the "Campaigns" title in the sidebar.
+* Display the **Security** tab for the repository and click one of the campaigns under "Campaigns" in the sidebar.
 * If you have enabled email notifications for "All activity" or "Security alerts" in the repository, click **View security campaign** in the campaign email.
-* If you have write access to more than one repository in the organization, display the **Security** tab for the organization and click one of the campaigns under the "Campaigns" title in the sidebar.
+* If you have write access to more than one repository in the organization, display the **Security** tab for the organization and click one of the campaigns under "Campaigns" in the sidebar.
 
 This view shows the alerts in the current repository for a campaign called "SQL injection (CWE-89)" (highlighted gray) that is managed by "octocat" (outlined in dark orange).
 
@@ -69,10 +51,6 @@ If you want to see the code that triggered the security alert and the suggested
 
 If you have access to {% data variables.product.prodname_copilot_chat_short %} then you can ask the AI questions about the vulnerability, the suggested fix, and how to test that the fix is comprehensive.
 
-To get the most out of {% data variables.product.prodname_copilot_chat_short %} when you're working with alerts, you should explicitly ask {% data variables.product.prodname_copilot_chat_short %} to use the {% data variables.product.prodname_GH_advanced_security %} skill to answer your questions.
-
-For example: "Use the {% data variables.product.prodname_GH_advanced_security %} skill to explain how this alert introduces a vulnerability into the code."
-
 > [!TIP]
 > {% data reusables.copilot.semantic-index-info %}
 

content/code-security/code-scanning/managing-code-scanning-alerts/best-practices-for-participating-in-a-security-campaign.md

@@ -17,6 +17,7 @@ children:
   - /disabling-autofix-for-code-scanning
   - /assessing-code-scanning-alerts-for-your-repository
   - /resolving-code-scanning-alerts
+  - /best-practices-for-participating-in-a-security-campaign
   - /fixing-alerts-in-security-campaign
   - /triaging-code-scanning-alerts-in-pull-requests
   - /tracking-code-scanning-alerts-in-issues-using-task-lists

content/code-security/code-scanning/managing-code-scanning-alerts/fixing-alerts-in-security-campaign.md

@@ -15,8 +15,6 @@ topics:
 
 Once you have identified security alerts in the default branches of your repositories, the next step is to identify the most urgent alerts and get them fixed. Security campaigns are a way to group alerts and share them with developers, so you can collaborate to remediate vulnerabilities in the code.
 
-{% data reusables.security-campaigns.preview-note %}
-
 ## Security campaigns in your day-to-day work
 
 You can use security campaigns to support many of your aims as a security leader.
@@ -30,14 +28,16 @@ You can use security campaigns to support many of your aims as a security leader
 
 A security campaign has many benefits over other ways of encouraging developers to remediate security alerts. In particular,
 
-* Developers are notified about any security campaigns taking place in repositories they work in or subscribe to (by email during the {% data variables.release-phases.public_preview %}).
+* Developers are notified about any security campaigns taking place in repositories they work in or subscribe to by email.
 * Developers can see the alerts you've highlighted for remediation without leaving their normal workflows.
 * Each campaign has a named point of contact for questions, reviews, and collaboration.  {% ifversion security-campaigns-autofix %}
 * {% data variables.product.prodname_copilot_autofix %} is automatically triggered to suggest a resolution for each security alert. {% endif %}
 
-In addition, you can use one of the templates to select a group of closely related alerts for a campaign. This allows developers to build on the knowledge gained by resolving one alert and use it to fix several more, providing them with an incentive to fix multiple alerts.
+You can use one of the templates to select a group of closely related alerts for a campaign. This allows developers to build on the knowledge gained by resolving one alert and use it to fix several more, providing them with an incentive to fix multiple alerts.
+
+{% data reusables.code-scanning.campaigns-api %}
 
 ## Next steps
 
 * [AUTOTITLE](/code-security/securing-your-organization/fixing-security-alerts-at-scale/best-practice-fix-alerts-at-scale)
-* [AUTOTITLE](/code-security/securing-your-organization/fixing-security-alerts-at-scale/creating-tracking-security-campaigns)
+* [AUTOTITLE](/code-security/securing-your-organization/fixing-security-alerts-at-scale/creating-managing-security-campaigns)

content/code-security/code-scanning/managing-code-scanning-alerts/index.md

@@ -12,7 +12,6 @@ topics:
   - Organizations
   - Security
 ---
-{% data reusables.security-campaigns.preview-note %}
 
 ## Elements of a successful security campaign
 
@@ -47,6 +46,10 @@ For example, if you have many alerts for cross-site scripting vulnerabilities, y
 
 When you select alerts to include in a security campaign, you can use any of the filters on the security alerts page to define a subset of alerts. Alternatively, you can choose a campaign template to use one of the pre-defined filters for common needs, for example: "Cross-site scripting (CWE-79)."
 
+### Draft campaigns
+
+It can be useful to create a draft campaign first, which lists the alerts that are set to be included in the campaign and the campaign details, so that you can collaborate on the scope of the campaign prior to publishing it. For guidance on creating a draft campaign, see [AUTOTITLE](/code-security/securing-your-organization/fixing-security-alerts-at-scale/creating-managing-security-campaigns#create-a-campaign).
+
 ### Limitations on security campaigns
 
 The following limitations are intended to encourage you to take a balanced and measured approach to remediating alerts in your code. An iterative approach, addressing a few targeted sets of alerts at a time, is likely to lead to a sustainable and long-term change in security posture.
@@ -66,6 +69,12 @@ The names of the campaign managers are visible to developers when they take part
 
 If you want to increase the remediation rate for alerts and scale the knowledge of the security team, this is a key opportunity to build collaborative relationships with developers. Ideally, the campaign managers are available to answer questions and collaborate on difficult fixes via the contact link. Campaign managers should also be available to review pull requests for fixes over the whole course of the campaign.
 
+## Creating issues for a campaign
+
+When you create a campaign, you can choose to automatically open a {% data variables.product.github %} Issue in every repository involved in the campaign. This means that the work can be much more easily tracked, assigned, and managed on team project boards. What's more, when you update the details of the campaign, such as the contact link or due date, the issue body gets automatically updated with the latest information. When a campaign reaches its due date, or gets deleted or closed, a comment is automatically posted on the issue.
+
+This can aid developer engagement by providing clear, up-to-date context directly within developers' existing workflows. For information on how to automate issue creation for campaigns, see [AUTOTITLE](/code-security/securing-your-organization/fixing-security-alerts-at-scale/creating-managing-security-campaigns#create-a-campaign).
+
 ## Combining security training with a security campaign
 
 If your security team already provides training for developers on secure coding, creating a campaign with alerts chosen to allow developers to use the skills from the training session is a great way to reinforce their learning. Even if you don't have a formal training program, it makes sense to provide information on the types of security vulnerabilities included in the campaign, examples of how to fix them, and how to test the fixes. This will simplify the role of the campaign manager as they will be able to direct developers to these resources for answers to basic questions.
@@ -80,8 +89,6 @@ The OWASP Foundation provides many resources for learning about the most common
 
 {% data variables.product.prodname_copilot %} is an important tool for developers who have questions about secure coding, how to fix security alerts, and test their fix. Check that all developers in your organization have access to {% data variables.product.prodname_copilot_short %} in both their IDE and {% data variables.product.github %}, see [AUTOTITLE](/copilot/managing-copilot/managing-github-copilot-in-your-organization/managing-access-to-github-copilot-in-your-organization/granting-access-to-copilot-for-members-of-your-organization).
 
-> [!TIP] The {% data variables.product.prodname_GH_advanced_security %} skill provides {% data variables.product.prodname_copilot_chat_short %} with additional context to answer questions about security alerts.
-
 {% endif %}
 
 ## Considerations in starting a security campaign and defining a deadline
@@ -90,4 +97,4 @@ As with any other project, it's important to define realistic timescales to avoi
 
 ## Next steps
 
-* [AUTOTITLE](/code-security/securing-your-organization/fixing-security-alerts-at-scale/creating-tracking-security-campaigns)
+* [AUTOTITLE](/code-security/securing-your-organization/fixing-security-alerts-at-scale/creating-managing-security-campaigns)