Creación y administración de campañas de seguridad

Puedes administrar las campañas de seguridad directamente desde la información general sobre seguridad de tu organización.

¿Quién puede utilizar esta característica?

Propietarios de la organización, administradores de seguridad y miembros de la organización con el rol de administrador

Organizaciones en GitHub Team con GitHub Secret Protection or GitHub Code Security habilitado

En este artículo

Nota:

Campaigns for secret scanning alerts are currently in public preview and are subject to change.

Creating a security campaign

Security campaigns are created and managed from the Security tab for your organization.

You choose the alerts that you want to include in the campaign by using either:

  • Campaign templates: Campaign templates contain filters for the most common alert selections. For code campaigns, they also all include the requirement that GitHub Copilot Autofix is supported for all the alert types included (that is, autofix:supported).
  • Custom filters: Creating a campaign using custom filters lets you define your own criteria for selecting alerts for the campaign, and lets you tailor your campaign to your organization's specific needs.

In addition, you can use the REST API to create and interact with campaigns more efficiently and at scale. For more information, see REST API endpoints for security campaigns.

Create a campaign

  1. On GitHub, navigate to the main page of the organization.

  2. Under your organization name, click Security.

    Screenshot of the horizontal navigation bar for an organization. A tab, labeled with a shield icon and "Security," is outlined in dark orange.

  3. In the left sidebar, click Campaigns.

  4. Click Create campaign , then select one of the following options:

    • Click From template, then select a pre-defined Code or Secrets campaign template from the list.
    • Click From code scanning filters or From secret scanning filters, then add filters to define a subset of alerts for your campaign. See Examples of useful filters.

  5. Review the set of alerts to be included in the campaign, and adjust the filters as necessary. Make sure you have chosen 1000 alerts or fewer.

  6. When you are satisfied with the scope of the campaign, click Save as, then choose whether you want to create a draft campaign, or move straight ahead to finalizing the details of the campaign before publishing it:

    • If you plan to review the scope and details of the campaign prior to launch, or seek feedback on the implementation of the campaign, click Draft campaign.
    • If you intend to publish the campaign, and don't need a review phase, click Publish campaign.

  7. Optionally, if you have chosen to create a draft campaign, edit, save, and review the details of the campaign:

    • Edit the "Campaign name" and "Short description" to match your campaign needs and to link to any resources that support the campaign.
    • Define a "Campaign due date" and select one or more "Campaign managers" as the primary contacts for the campaign. Campaign managers must be users or teams that are owners or security managers in the organization.
    • Optionally, provide a "Contact link", for example a link to a GitHub Discussions or another communication channel, for contacting the campaign managers.
    • Click Save draft.
    • When you are ready to publish the campaign, in the top right corner, click Review and publish.

  8. On the "Publish campaign" page, review or edit the campaign details:

    • Campaign name
    • Short description
    • Due date
    • Campaign managers
    • Contact link

  9. Optionally, for "Code" campaigns, to create a campaign issue in each repository included in the campaign, on the "Publish campaign" page, under "Automations", select the checkbox next to "Create issues for NUMBER repositories in this campaign".

  10. Click Publish campaign.

The security campaign is created and the campaign overview page is displayed.

Did you successfully create a security campaign for your organization?

Yes No

Examples of useful filters

All the template filters use is:open to include only alerts that need to be resolved. For code scanning alerts, they must also be present in the default branch.

Additional default filters for code scanning alerts:

  • autofilter:true includes only alerts that appear to be in application code.
  • autofix:supported includes only alerts that are for rules that are supported for GitHub Copilot Autofix.

For more information about filtering alerts, see Best practices for fixing security alerts at scale and Filtering alerts in security overview.

Code scanning alert filters

In addition to the core filters, you will usually want to add a filter to limit results to a specific rule name, severity, or tag.

  • is:open autofilter:true autofix:supported rule:java/log-injection to show only alerts for log injection in Java code. See Query lists for the default query suites.
  • is:open autofilter:true autofix:supported tag:external/cwe/cwe-117 to show only alerts for "CWE 117: Improper Output Neutralization for Logs". This includes log injection in Java and other languages.
  • is:open autofilter:true autofix:supported severity:critical to show only alerts with a security severity of critical.

Secret scanning alert filters

In addition to the core filters, you will usually want to add a filter to limit results to a specific provider, secret type, or secrets that bypassed push protection (enterprise accounts only).

  • is:open provider:azure to show only alerts for the token provider Azure.
  • is:open secret-type:azure_ai_services_key,azure_cognitive_services_key to show only alerts for the tokens "azure_ai_services_key" and "azure_cognitive_services_key". See Supported secret scanning patterns.
  • is:open props.BusinessPriority:Urgent to show only alerts for repositories where the custom property "BusinessPriority" has the value "Urgent". See Managing custom properties for repositories in your organization.

Launching a security campaign

When you create a code campaign, all the alerts are automatically submitted to GitHub Copilot Autofix to be processed as capacity allows. This ensures that suggestions for alerts found in pull requests aren't delayed by a new campaign. In most cases, you should find that all suggestions that can be created are ready within an hour. At busy times of day, or for particularly complex alerts, it will take longer.

How developers know a security campaign has started

The new campaign is shown in the sidebar of the "Security" tab for each repository included.

  • Code campaigns: Anyone with write access to a repository included in the campaign is notified.
  • Secret campaigns: Anyone with access to see the alert list view for a repository included in the campaign is notified.

Sugerencia

You can assign a campaign alert to anyone with write access to the repository, see Assigning alerts.

For more information about the developer experience, see Fixing alerts in a security campaign.

How to increase engagement with the security campaign

The best way to increase engagement with a campaign is to publicize it to the teams you want to collaborate with to remediate alerts. For example, you might work with engineering managers to choose a quieter development period to run a series of security campaigns, each focused on a different type of alert, with associated training sessions. For more ideas, see Best practices for fixing security alerts at scale.

Editing security campaign details

You can edit the name, description, due date, and manager for a campaign.

  1. On GitHub, navigate to the main page of the organization.

  2. Under your organization name, click Security.

    Screenshot of the horizontal navigation bar for an organization. A tab, labeled with a shield icon and "Security," is outlined in dark orange.

  3. In the left sidebar, click Campaigns.

  4. From the list of campaigns, click the name of the campaign to display the campaign tracking view.

  5. In the campaign title row, click and select Edit campaign.

  6. In the "Edit campaign" dialog make your changes and then click Save changes.

The changes are made immediately.

Closing, reopening and deleting security campaigns

There is a limit of 10 active campaigns. When a campaign is complete, or if you want to pause it, you should close it. You can still view all closed campaigns in the "Closed" campaign list, and you can reopen a closed campaign.

If you don't need to retain the campaign or its data, you can delete it.

Close a campaign

  1. On GitHub, navigate to the main page of the organization.

  2. Under your organization name, click Security.

    Screenshot of the horizontal navigation bar for an organization. A tab, labeled with a shield icon and "Security," is outlined in dark orange.

  3. In the left sidebar, click Campaigns.

  4. To the right of the campaign you want to close, click , then select Close campaign.

Reopen a closed campaign

  1. On GitHub, navigate to the main page of the organization.

  2. Under your organization name, click Security.

    Screenshot of the horizontal navigation bar for an organization. A tab, labeled with a shield icon and "Security," is outlined in dark orange.

  3. In the left sidebar, click Campaigns.

  4. Above the list of campaigns, click Closed to view the list of closed campaigns.

  5. To the right of the campaign you want to reopen, click , then select Reopen campaign.

Delete a campaign

  1. On GitHub, navigate to the main page of the organization.

  2. Under your organization name, click Security.

    Screenshot of the horizontal navigation bar for an organization. A tab, labeled with a shield icon and "Security," is outlined in dark orange.

  3. In the left sidebar, click Campaigns.

  4. To the right of the campaign you want to delete, click , then select Delete campaign.

Next steps