Creating and managing security campaigns

You can manage security campaigns directly from the security overview for your organization.

¿Quién puede utilizar esta característica?

Propietarios de la organización, administradores de seguridad y miembros de la organización con el rol de administrador

Organizaciones en GitHub Team o GitHub Enterprise Cloud con GitHub Secret Protection or GitHub Code Security habilitado

En este artículo

Nota:

Las campañas para alertas de secret scanning se encuentran actualmente en versión preliminar pública y están sujetas a cambios.

Creating a security campaign

Security campaigns are created and managed from the Security tab for your organization.

You choose the alerts that you want to include in the campaign by using either:

  • Campaign templates: Campaign templates contain filters for the most common alert selections. For code campaigns, they also all include the requirement that Autocorrección de GitHub Copilot is supported for all the alert types included (that is, autofix:supported).
  • Custom filters: Creating a campaign using custom filters lets you define your own criteria for selecting alerts for the campaign, and lets you tailor your campaign to your organization's specific needs.

Además, puedes usar la API REST para crear e interactuar con campañas de forma más eficaz y a gran escala. Para más información, consulta Puntos de conexión de API REST para campañas de seguridad.

Create a campaign

  1. En GitHub, navega a la página principal de tu organización.

  2. Debajo del nombre de la organización, haz clic en Security.

    Captura de pantalla de la barra de navegación horizontal de una organización. Una pestaña, etiquetada con un icono de escudo y "Seguridad", está resaltado en naranja oscuro.

  3. En la barra lateral de la izquierda, haz clic en Campaigns.

  4. Click Create campaign , then select one of the following options:

    • Click From template, then select a pre-defined Code or Secrets campaign template from the list.
    • Click From code scanning filters or From secret scanning filters, then add filters to define a subset of alerts for your campaign. See Examples of useful filters.

  5. Review the set of alerts to be included in the campaign, and adjust the filters as necessary. Make sure you have chosen 1000 alerts or fewer.

  6. When you are satisfied with the scope of the campaign, click Save as, then choose whether you want to create a draft campaign, or move straight ahead to finalizing the details of the campaign before publishing it:

    • If you plan to review the scope and details of the campaign prior to launch, or seek feedback on the implementation of the campaign, click Draft campaign.
    • If you intend to publish the campaign, and don't need a review phase, click Publish campaign.

  7. Optionally, if you have chosen to create a draft campaign, edit, save, and review the details of the campaign:

    • Edit the "Campaign name" and "Short description" to match your campaign needs and to link to any resources that support the campaign.
    • Define a "Campaign due date" and select one or more "Campaign managers" as the primary contacts for the campaign. Campaign managers must be users or teams that are owners or security managers in the organization.
    • Optionally, provide a "Contact link", for example a link to a GitHub Discussions or another communication channel, for contacting the campaign managers.
    • Click Save draft.
    • When you are ready to publish the campaign, in the top right corner, click Review and publish.

  8. On the "Publish campaign" page, review or edit the campaign details:

    • Campaign name
    • Short description
    • Due date
    • Campaign managers
    • Contact link

  9. Optionally, for "Code" campaigns, to create a campaign issue in each repository included in the campaign, on the "Publish campaign" page, under "Automations", select the checkbox next to "Create issues for NUMBER repositories in this campaign".

  10. Click Publish campaign.

The security campaign is created and the campaign overview page is displayed.

Did you successfully create a security campaign for your organization?

Yes No

Examples of useful filters

All the template filters use is:open to include only alerts that need to be resolved. For code scanning alerts, they must also be present in the default branch.

Additional default filters for code scanning alerts:

  • autofilter:true includes only alerts that appear to be in application code.
  • autofix:supported includes only alerts that are for rules that are supported for Autocorrección de GitHub Copilot.

For more information about filtering alerts, see Procedimientos recomendados para resolver alertas de seguridad a gran escala and Filtering alerts in security overview.

Code scanning alert filters

In addition to the core filters, you will usually want to add a filter to limit results to a specific rule name, severity, or tag.

  • is:open autofilter:true autofix:supported rule:java/log-injection to show only alerts for log injection in Java code. See Queries for CodeQL analysis.
  • is:open autofilter:true autofix:supported tag:external/cwe/cwe-117 to show only alerts for "CWE 117: Improper Output Neutralization for Logs". This includes log injection in Java and other languages.
  • is:open autofilter:true autofix:supported severity:critical to show only alerts with a security severity of critical.

Secret scanning alert filters

In addition to the core filters, you will usually want to add a filter to limit results to a specific provider, secret type, or secrets that bypassed push protection (enterprise accounts only).

Launching a security campaign

When you create a code campaign, all the alerts are automatically submitted to Autocorrección de GitHub Copilot to be processed as capacity allows. This ensures that suggestions for alerts found in pull requests aren't delayed by a new campaign. In most cases, you should find that all suggestions that can be created are ready within an hour. At busy times of day, or for particularly complex alerts, it will take longer.

How developers know a security campaign has started

The new campaign is shown in the sidebar of the "Security" tab for each repository included.

  • Code campaigns: Anyone with write access to a repository included in the campaign is notified.
  • Secret campaigns: Anyone with access to see the alert list view for a repository included in the campaign is notified.

Sugerencia

You can assign a campaign alert to anyone with write access to the repository, see Assigning alerts.

For more information about the developer experience, see Fixing alerts in a security campaign.

How to increase engagement with the security campaign

The best way to increase engagement with a campaign is to publicize it to the teams you want to collaborate with to remediate alerts. For example, you might work with engineering managers to choose a quieter development period to run a series of security campaigns, each focused on a different type of alert, with associated training sessions. For more ideas, see Procedimientos recomendados para resolver alertas de seguridad a gran escala.

Editing security campaign details

You can edit the name, description, due date, and manager for a campaign.

  1. En GitHub, navega a la página principal de tu organización.

  2. Debajo del nombre de la organización, haz clic en Security.

    Captura de pantalla de la barra de navegación horizontal de una organización. Una pestaña, etiquetada con un icono de escudo y "Seguridad", está resaltado en naranja oscuro.

  3. En la barra lateral de la izquierda, haz clic en Campaigns.

  4. From the list of campaigns, click the name of the campaign to display the campaign tracking view.

  5. In the campaign title row, click and select Edit campaign.

  6. In the "Edit campaign" dialog make your changes and then click Save changes.

The changes are made immediately.

Closing, reopening and deleting security campaigns

There is a limit of 10 active campaigns. When a campaign is complete, or if you want to pause it, you should close it. You can still view all closed campaigns in the "Closed" campaign list, and you can reopen a closed campaign.

If you don't need to retain the campaign or its data, you can delete it.

Close a campaign

  1. En GitHub, navega a la página principal de tu organización.

  2. Debajo del nombre de la organización, haz clic en Security.

    Captura de pantalla de la barra de navegación horizontal de una organización. Una pestaña, etiquetada con un icono de escudo y "Seguridad", está resaltado en naranja oscuro.

  3. En la barra lateral de la izquierda, haz clic en Campaigns.

  4. To the right of the campaign you want to close, click , then select Close campaign.

Reopen a closed campaign

  1. En GitHub, navega a la página principal de tu organización.

  2. Debajo del nombre de la organización, haz clic en Security.

    Captura de pantalla de la barra de navegación horizontal de una organización. Una pestaña, etiquetada con un icono de escudo y "Seguridad", está resaltado en naranja oscuro.

  3. En la barra lateral de la izquierda, haz clic en Campaigns.

  4. Above the list of campaigns, click Closed to view the list of closed campaigns.

  5. To the right of the campaign you want to reopen, click , then select Reopen campaign.

Delete a campaign

  1. En GitHub, navega a la página principal de tu organización.

  2. Debajo del nombre de la organización, haz clic en Security.

    Captura de pantalla de la barra de navegación horizontal de una organización. Una pestaña, etiquetada con un icono de escudo y "Seguridad", está resaltado en naranja oscuro.

  3. En la barra lateral de la izquierda, haz clic en Campaigns.

  4. To the right of the campaign you want to delete, click , then select Delete campaign.

Next steps