Merge pull request #41335 from github/repo-sync

Repo sync

Author: docs-bot

assets/images/help/copilot/eclipse-advanced-code-completion-menu.png

@@ -72,6 +72,14 @@ If your organization uses private registries, providing {% data variables.produc
 
 {% endif %}
 
+{% ifversion fpt or ghec %}
+
+## About integrating production context
+
+If your organization uses {% data variables.product.prodname_microsoft_defender %}, JFrog Artifactory, or CI/CD to promote artifacts to production, you can integrate this data into {% data variables.product.github %}. This production context helps you prioritize {% data variables.product.prodname_code_scanning %} and {% data variables.product.prodname_dependabot %} alerts. For more information, see [AUTOTITLE](/code-security/securing-your-organization/understanding-your-organizations-exposure-to-vulnerabilities/alerts-in-production-code).
+
+{% endif %}
+
 ## Next steps
 
 {% ifversion security-configurations-cloud %}

assets/images/help/copilot/xcode-advanced-code-completion-menu.png

@@ -1,11 +1,12 @@
 ---
-title: About your exposure to vulnerable dependencies
-shortTitle: Dependency vulnerability exposure
-intro: 'Understanding your organization’s exposure to vulnerable dependencies is essential for identifying and prioritizing security risks. Leveraging {% data variables.product.prodname_dependabot %} metrics on {% data variables.product.github %} enables you to efficiently assess, prioritize, and remediate vulnerabilities, reducing the likelihood of security breaches.'
+title: About exposure to vulnerabilities in your code and in dependencies
+shortTitle: Vulnerability exposure
+intro: 'Understanding your organization’s exposure to vulnerabilities in first-party code and in all dependencies is essential for enabling you to efficiently assess, prioritize, and remediate vulnerabilities, reducing the likelihood of security breaches.'
 allowTitleToDifferFromFilename: true
 product: '{% data reusables.gated-features.ghas-billing %}'
 versions:
   feature: dependabot-metrics
+contentType: concepts
 topics:
   - Code Security
   - Secret Protection
@@ -15,57 +16,72 @@ redirect_from:
   - /code-security/securing-your-organization/understanding-your-organizations-exposure-to-vulnerabilites/about-your-exposure-to-vulnerable-dependencies
 ---
 
-## About exposure to vulnerable dependencies
+## About exposure to vulnerable code
 
-Assessing your exposure to vulnerable dependencies is crucial if you want to prevent:
+Your organization has exposure to vulnerabilities in both the code you write and maintain, and in the open-source or third-party dependencies your code uses. Assessing your exposure to vulnerable dependencies is crucial if you want to prevent:
 
-* **Supply chain compromise**. Attackers can exploit vulnerabilities in open source or third-party dependencies to inject malicious code, elevate privileges, or gain unauthorized access to your systems. Compromised dependencies can serve as indirect entry points for malicious actors, leading to wide-reaching security incidents.
+* **Unplanned downtime and operational disruption**. Exploitation of vulnerabilities can result in application outages, degraded service quality, or cascading failures in critical systems, disrupting your business operations.
+
+* **Increased remediation costs**. The longer vulnerable code remains unaddressed, the more difficult and expensive it becomes to fix, especially if the code is deeply integrated or if incidents occur. Early detection and remediation reduce the risk of costly incident response, emergency patching, and reputational harm.
 
-* **Widespread propagation of risk**. Vulnerable dependencies are often reused across multiple applications and services, meaning a single flaw can propagate throughout your organization, compounding the risk and impact of exploitation.
+* **Widespread propagation of risk**. Vulnerable modules and dependencies are often reused across multiple applications and services, meaning a single flaw can propagate throughout your organization, compounding the risk and impact of exploitation.
 
-* **Unplanned downtime and operational disruption**. Exploitation of dependency vulnerabilities can result in application outages, degraded service quality, or cascading failures in critical systems, disrupting your business operations.
+* **Supply chain compromise**. Attackers can exploit vulnerabilities in open source or third-party dependencies to inject malicious code, elevate privileges, or gain unauthorized access to your systems. Compromised dependencies can serve as indirect entry points for malicious actors, leading to wide-reaching security incidents.
 
 * **Regulatory and licensing issues**. Many regulations and industry standards require organizations to proactively address known vulnerabilities in their software supply chain. Failing to remediate vulnerable dependencies can result in non-compliance, audits, legal penalties, or breaches of open source license obligations.
 
-* **Increased remediation costs**. The longer vulnerable dependencies remain unaddressed, the more difficult and expensive they become to fix, especially if they are deeply integrated or if incidents occur. Early detection and remediation reduce the risk of costly incident response, emergency patching, and reputational harm.
+Regularly assessing your exposure to vulnerabilities is good practice to help identify risks early, implement effective remediation strategies, and maintain resilient, trustworthy software.
+
+## Ways to monitor your repositories for vulnerable code
 
-Regularly assessing your exposure to dependency vulnerabilities is good practice to help identify risks early, implement effective remediation strategies, and maintain resilient, trustworthy software.
+* **{% data variables.product.prodname_code_scanning_caps %}** automatically monitors your project's code for vulnerabilities. When it detects a security issue in a pull request, it creates an alert with an autofix suggestion to resolve the vulnerability. This lowers the barrier to resolution and helps ensure your project remains secure. See [AUTOTITLE](/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning).
 
-{% data variables.product.prodname_dependabot %} automatically monitors your project’s dependencies for vulnerabilities and outdated packages. When it detects a security issue or a new version, it creates pull requests to update the affected dependencies, helping you quickly address security risks and keep your software up to date. This reduces manual effort and helps ensure your project remains secure. See [AUTOTITLE](/code-security/getting-started/dependabot-quickstart-guide).
+* **{% data variables.product.prodname_dependabot %}** automatically monitors your project’s dependencies for vulnerabilities and outdated packages. When it detects a security issue or a new version, it creates pull requests to update the affected dependencies, helping you quickly address security risks and keep your software up to date. This reduces manual effort and helps ensure your project remains secure. See [AUTOTITLE](/code-security/getting-started/dependabot-quickstart-guide).
 
 {% data variables.product.github %} provides a comprehensive set of {% data variables.product.prodname_dependabot %} metrics to help you monitor, prioritize, and remediate these risks across all repositories in your organization. See [AUTOTITLE](/code-security/security-overview/viewing-metrics-for-dependabot-alerts).
 
 ## Key tasks for AppSec managers
 
-### 1. Monitor vulnerability metrics
+### 1. Monitor vulnerability metrics for dependencies
 
 Use the metrics overview for {% data variables.product.prodname_dependabot %} to gain visibility into the current state of your organization's dependency vulnerabilities. See [AUTOTITLE](/code-security/security-overview/viewing-metrics-for-dependabot-alerts).
 
 * **Alert prioritization:** Review the number of open {% data variables.product.prodname_dependabot_alerts %} and use filters such as CVSS severity, EPSS exploit likelihood, patch availability, and whether a vulnerable dependency is actually used in deployed artifacts. {% data reusables.security-overview.dependabot-filters-link %}
 * **Repository-level breakdown:** Identify which repositories have the highest number of critical or exploitable vulnerabilities.
 * **Remediation tracking:** Track the number and percentage of alerts fixed over time to measure the effectiveness of your vulnerability management program.
 
-### 2. Prioritize remediation efforts
+### 2. Monitor introduction of new {% data variables.product.prodname_code_scanning %} alerts
+
+Use the alert view for {% data variables.product.prodname_code_scanning %} to gain visibility into remediation activity in your organization's pull requests. See [AUTOTITLE](/code-security/security-overview/viewing-metrics-for-pull-request-alerts).
+
+* **Alerts in pull requests:** Review how many alerts were detected and merged into the default branch without resolution.
+* **Most prevalent rules:** Identify rules that are frequently triggered where developer education is needed.
+* **Repository-level breakdown:** Identify which repositories have the highest number of alerts detected in pull requests but still merged into the default branch.
+* **Remediation tracking:** Track the number and percentage of alerts fixed over time to measure the effectiveness of your vulnerability management program.
+
+### 3. Prioritize remediation efforts
 
 Focus on vulnerabilities that present the highest risk to your organization.
 
-* Prioritize alerts with high or critical severity, high EPSS scores, and available patches.
-* Use the repository breakdown to direct remediation efforts to the most at-risk projects.
-* Encourage development teams to address vulnerabilities that are actually used in deployed artifacts through repository custom properties.
+* Prioritize alerts with high or critical severity. For {% data variables.product.prodname_dependabot_alerts %}, also prioritize high EPSS scores, and available patches.
+* Use the repository breakdown information to direct remediation efforts to the most at-risk projects.{% ifversion fpt or ghec %}
+* Encourage development teams to address vulnerabilities that are actually used in deployed artifacts through repository custom properties and using production context. See [AUTOTITLE](/code-security/securing-your-organization/understanding-your-organizations-exposure-to-vulnerabilities/alerts-in-production-code).{% endif %}
+* Create security campaigns to encourage and track the remediation of high priority {% data variables.product.prodname_code_scanning %} alerts. See [AUTOTITLE](/code-security/securing-your-organization/fixing-security-alerts-at-scale/creating-managing-security-campaigns).
 
-### 3. Communicate risk and progress
+### 4. Communicate risk and progress
 
-* Use the {% data variables.product.prodname_dependabot %} metrics page to communicate key risk factors and remediation progress to stakeholders.
+* Use the metrics pages to communicate key risk factors and remediation progress to stakeholders.
 * Provide regular updates on trends, such as the reduction in open critical vulnerabilities or improvements in remediation rates.
 * Highlight repositories or teams that require additional support or attention.
 
-### 4. Establish and enforce policies
+### 5. Establish and enforce policies
 
-* Set organization-wide policies to require dependency review and {% data variables.product.prodname_dependabot_alerts %} on all repositories. See [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review) and [AUTOTITLE](/code-security/dependabot/dependabot-alerts/about-dependabot-alerts).
-* Ensure that new repositories are automatically enrolled in dependency monitoring.
+* Set an organization-wide security configuration that enables {% data variables.product.prodname_dependabot %} and {% data variables.product.prodname_code_scanning %} on all existing and new repositories. See [AUTOTITLE](/code-security/securing-your-organization/introduction-to-securing-your-organization-at-scale/about-enabling-security-features-at-scale).
+* Enable dependency review to comment on pull requests in all repositories.
+* Create an organization-wide ruleset to protect the default branch and require critical {% data variables.product.prodname_code_scanning %} alerts to be fixed before a pull request can be merged. See [AUTOTITLE](/organizations/managing-organization-settings/managing-rulesets-for-repositories-in-your-organization).
 * Work with repository administrators to enable automated security updates where possible. See [AUTOTITLE](/code-security/dependabot/dependabot-security-updates/about-dependabot-security-updates).
 
-### 5. Assess the impact of {% data variables.product.prodname_dependabot_alerts %}
+### 6. Assess the impact of alerts
 
-* Regularly review how {% data variables.product.prodname_dependabot_alerts %} are helping to block security vulnerabilities from entering your codebase.
+* Regularly review how {% data variables.product.prodname_dependabot %} and {% data variables.product.prodname_code_scanning %} alerts are helping to block security vulnerabilities from entering your codebase.
 * Use historical data to demonstrate the value of proactive dependency management.