diff --git a/content/code-security/supply-chain-security/end-to-end-supply-chain/securing-accounts.md b/content/code-security/supply-chain-security/end-to-end-supply-chain/securing-accounts.md index 282b6154af95..2ab73d6b4095 100644 --- a/content/code-security/supply-chain-security/end-to-end-supply-chain/securing-accounts.md +++ b/content/code-security/supply-chain-security/end-to-end-supply-chain/securing-accounts.md @@ -54,12 +54,12 @@ For more information about the authentication methods available for {% data vari The best way to improve the security of {% ifversion fpt %}your personal account{% elsif ghes %}your personal account or {% data variables.location.product_location %}{% elsif ghec %}your accounts{% elsif ghae %}your enterprise on {% data variables.product.product_name %}{% endif %} is to configure two-factor authentication (2FA){% ifversion ghae %} on your SAML identity provider (IdP){% endif %}. Passwords by themselves can be compromised by being guessable, by being reused on another site that's been compromised, or by social engineering, like phishing. 2FA makes it much more difficult for your accounts to be compromised, even if an attacker has your password. -As a best practice, to ensure both security and reliable access to your account, you should always have at least two second-factor credentials registered on your account. Extra credentials ensures that even if you lose access to one credential, you won't be locked out of your account.{% ifversion fpt or ghec %} +As a best practice, to ensure both security and reliable access to your account, you should always have at least two second-factor credentials registered on your account. Extra credentials ensures that even if you lose access to one credential, you won't be locked out of your account.{% ifversion fpt or ghec %} -Additionally, you should prefer security keys and authenticator apps (called TOTP apps) over use of SMS whenever possible. SMS-based 2FA does not provide the same level of protection as TOTP apps or security keys, and it is no longer recommended under the [NIST 800-63B](https://pages.nist.gov/800-63-3/sp800-63b.html) digital identity guidelines. +Additionally, you should prefer security keys and authenticator apps (called TOTP apps) over use of SMS whenever possible. SMS-based 2FA does not provide the same level of protection as TOTP apps or security keys, and it is no longer recommended under the [NIST 800-63B](https://pages.nist.gov/800-63-3/sp800-63b.html) digital identity guidelines. {% endif %}{% ifversion mandatory-2fa-dotcom-contributors %}{% ifversion ghec %} -If service accounts in your organization have been selected for 2FA enrollment by {% data variables.product.prodname_dotcom %}, their tokens and keys will continue to work after the deadline without interruption. Only access to {% data variables.product.prodname_dotcom %} through the website UI will be blocked until the account has enabled 2FA. We recommend setting up TOTP as the second factor for service accounts, and storing the TOTP secret exposed during setup in your company's shared password manager, with access to the secrets controlled through SSO. +If service accounts in your organization have been selected for 2FA enrollment by {% data variables.product.prodname_dotcom %}, their tokens and keys will continue to work after the deadline without interruption. Only access to {% data variables.product.prodname_dotcom %} through the website UI will be blocked until the account has enabled 2FA. We recommend setting up TOTP as the second factor for service accounts, and storing the TOTP secret exposed during setup in your company's shared password manager, with access to the secrets controlled through SSO. {% endif %}{% endif %} {% ifversion not ghae %} @@ -110,7 +110,7 @@ For more information, see {% ifversion ghec %}"[AUTOTITLE](/admin/identity-and-a {% data variables.product.product_name %} supports several options for 2FA, and while any of them is better than nothing, the most secure option is WebAuthn. WebAuthn requires either a hardware security key or a device that supports it through things like Windows Hello or Mac TouchID. It's possible, although difficult, to phish other forms of 2FA (for example, someone asking you to read them your 6 digit one-time password). However WebAuthn isn't phishable, because domain scoping is built into the protocol, which prevents credentials from a website impersonating a login page from being used on {% data variables.product.product_name %}. -When you set up 2FA, you should always download the recovery codes and set up more than one factor. This ensures that access to your account doesn't depend on a single device. For more information, see "[AUTOTITLE](/authentication/securing-your-account-with-two-factor-authentication-2fa/configuring-two-factor-authentication)," "[AUTOTITLE](/authentication/securing-your-account-with-two-factor-authentication-2fa/configuring-two-factor-authentication-recovery-methods)," and [GitHub Branded hardware security keys](https://thegithubshop.com/products/github-branded-yubikey) in the GitHub shop. +When you set up 2FA, you should always download the recovery codes and set up more than one factor. This ensures that access to your account doesn't depend on a single device. For more information, see "[AUTOTITLE](/authentication/securing-your-account-with-two-factor-authentication-2fa/configuring-two-factor-authentication)" and "[AUTOTITLE](/authentication/securing-your-account-with-two-factor-authentication-2fa/configuring-two-factor-authentication-recovery-methods)." ### Configure your organization account diff --git a/content/rest/overview/permissions-required-for-github-apps.md b/content/rest/overview/permissions-required-for-github-apps.md index 5fdef260bcfc..68c4358fe135 100644 --- a/content/rest/overview/permissions-required-for-github-apps.md +++ b/content/rest/overview/permissions-required-for-github-apps.md @@ -844,6 +844,28 @@ shortTitle: GitHub App permissions {% ifversion fpt or ghec or ghes > 3.6 %}- [`POST /repos/{owner}/{repo}/pages/deployment`](/rest/pages#create-a-github-pages-deployment) (write){% endif %} {% ifversion fpt or ghec %}- [`GET /repos/{owner}/{repo}/pages/health`](/rest/pages#get-a-dns-health-check-for-github-pages) (write){% endif %} +{% ifversion fpt or ghec or ghes > 3.9 %} + +## {% data variables.product.pat_generic_caps %} requests + +- [`GET /organizations/{org}/personal-access-token-requests`](/rest/orgs/orgs#list-requests-to-access-organization-resources-with-fine-grained-personal-access-tokens) (read) +- [`POST /organizations/{org}/personal-access-token-requests`](/rest/orgs/orgs#review-requests-to-access-organization-resources-with-fine-grained-personal-access-tokens) (write) +- [`POST /organizations/{org}/personal-access-token-requests/{pat_request_id}`](/rest/orgs/orgs#review-a-request-to-access-organization-resources-with-a-fine-grained-personal-access-token) (write) +- [`GET /organizations/{org}/personal-access-token-requests/{pat_request_id}/repositories`](/rest/orgs/orgs#list-repositories-requested-to-be-accessed-by-a-fine-grained-personal-access-token) (read) + +{% endif %} + +{% ifversion fpt or ghec or ghes > 3.9 %} + +## {% data variables.product.pat_generic_caps %}s + +- [`GET /organizations/{org}/personal-access-tokens`](/rest/orgs/orgs#list-fine-grained-personal-access-tokens-with-access-to-organization-resources) (read) +- [`POST /organizations/{org}/personal-access-tokens`](/rest/orgs/orgs#update-the-access-to-organization-resources-via-fine-grained-personal-access-tokens) (write) +- [`POST /organizations/{org}/personal-access-tokens/{pat_id}`](/rest/orgs/orgs#update-the-access-a-fine-grained-personal-access-token-has-to-organization-resources) (write) +- [`GET /organizations/{org}/personal-access-tokens/{pat_id}/repositories`](/rest/orgs/orgs#list-repositories-a-fine-grained-personal-access-token-has-access-to) (read) + +{% endif %} + {% ifversion fpt or ghec %} ## Plan diff --git a/data/reusables/repositories/tracks-vulnerabilities.md b/data/reusables/repositories/tracks-vulnerabilities.md index b16edca7bed4..612b286f81d5 100644 --- a/data/reusables/repositories/tracks-vulnerabilities.md +++ b/data/reusables/repositories/tracks-vulnerabilities.md @@ -2,9 +2,9 @@ We add advisories to the {% data variables.product.prodname_advisory_database %} - Security advisories reported on {% data variables.product.prodname_dotcom %} - The [National Vulnerability database](https://nvd.nist.gov/) - The [npm Security advisories database](https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm) -- The [FriendsOfPHP database](https://github.com/FriendsOfPHP/security-advisories) -- The [Go Vulncheck database](https://pkg.go.dev/golang.org/x/vuln/vulncheck) -- The [Python Packaging Advisory database](https://github.com/pypa/advisory-database) +- The [FriendsOfPHP database](https://github.com/FriendsOfPHP/security-advisories) +- The [Go Vulncheck database](https://pkg.go.dev/vuln/) +- The [Python Packaging Advisory database](https://github.com/pypa/advisory-database) - The [Ruby Advisory database](https://rubysec.com/) - The [RustSec Advisory database](https://rustsec.org/) - Community contributions. For more information, see [https://github.com/github/advisory-database/pulls](https://github.com/github/advisory-database/pulls). diff --git a/lib/excluded-links.js b/lib/excluded-links.js index 459d08db9f99..aa1cc9ec473d 100644 --- a/lib/excluded-links.js +++ b/lib/excluded-links.js @@ -52,4 +52,5 @@ export default [ 'https://developer.apple.com/documentation/swift_packages', 'https://developer.android.com/studio/run/emulator-acceleration', 'https://support.discord.com/hc/en-us/articles/360045138571-Beginner-s-Guide-to-Discord', + 'https://www.microsoft.com/en-us/edge', ]