Creating and managing security campaigns

Creating a security campaign

Security campaigns are created and managed from the Security tab for your organization.

You choose the alerts that you want to include in the campaign by using either:

• Campaign templates: Campaign templates contain filters for the most common alert selections. For code campaigns, they also all include the requirement that GitHub Copilot Autofix is supported for all the alert types included (that is, autofix:supported).
• Custom filters: Creating a campaign using custom filters lets you define your own criteria for selecting alerts for the campaign, and lets you tailor your campaign to your organization's specific needs.

또한 REST API를 사용하여 캠페인을 더욱 효율적이고 대규모로 만들고 상호 작용을 할 수 있습니다. 자세한 내용은 보안 캠페인에 대한 REST API 엔드포인트을(를) 참조하세요.

Create a campaign

1. GitHub에서 조직의 기본 페이지로 이동합니다.

2. 조직 이름에서 보안을 클릭합니다.

   

3. 왼쪽 사이드바에서 캠페인을 클릭합니다.

4. Click Create campaign , then select one of the following options:

   • Click From template, then select a pre-defined Code or Secrets campaign template from the list.
   • Click From code scanning filters or From secret scanning filters, then add filters to define a subset of alerts for your campaign. See Examples of useful filters.

5. Review the set of alerts to be included in the campaign, and adjust the filters as necessary. Make sure you have chosen 1000 alerts or fewer.

6. When you are satisfied with the scope of the campaign, click Save as, then choose whether you want to create a draft campaign, or move straight ahead to finalizing the details of the campaign before publishing it:

   • If you plan to review the scope and details of the campaign prior to launch, or seek feedback on the implementation of the campaign, click Draft campaign.
   • If you intend to publish the campaign, and don't need a review phase, click Publish campaign.

7. Optionally, if you have chosen to create a draft campaign, edit, save, and review the details of the campaign:

   • Edit the "Campaign name" and "Short description" to match your campaign needs and to link to any resources that support the campaign.
   • Define a "Campaign due date" and select one or more "Campaign managers" as the primary contacts for the campaign. Campaign managers must be users or teams that are owners or security managers in the organization.
   • Optionally, provide a "Contact link", for example a link to a GitHub Discussions or another communication channel, for contacting the campaign managers.
   • Click Save draft.
   • When you are ready to publish the campaign, in the top right corner, click Review and publish.

8. On the "Publish campaign" page, review or edit the campaign details:

   • Campaign name
   • Short description
   • Due date
   • Campaign managers
   • Contact link

9. Optionally, for "Code" campaigns, to create a campaign issue in each repository included in the campaign, on the "Publish campaign" page, under "Automations", select the checkbox next to "Create issues for NUMBER repositories in this campaign".

10. Click Publish campaign.

The security campaign is created and the campaign overview page is displayed.

Examples of useful filters

All the template filters use is:open to include only alerts that need to be resolved. For code scanning alerts, they must also be present in the default branch.

Additional default filters for code scanning alerts:

• autofilter:true includes only alerts that appear to be in application code.
• autofix:supported includes only alerts that are for rules that are supported for GitHub Copilot Autofix.

For more information about filtering alerts, see 대규모 보안 경고 수정 모범 사례 and Filtering alerts in security overview.

Code scanning alert filters

In addition to the core filters, you will usually want to add a filter to limit results to a specific rule name, severity, or tag.

• is:open autofilter:true autofix:supported rule:java/log-injection to show only alerts for log injection in Java code. See Queries for CodeQL analysis.
• is:open autofilter:true autofix:supported tag:external/cwe/cwe-117 to show only alerts for "CWE 117: Improper Output Neutralization for Logs". This includes log injection in Java and other languages.
• is:open autofilter:true autofix:supported severity:critical to show only alerts with a security severity of critical.

Secret scanning alert filters

In addition to the core filters, you will usually want to add a filter to limit results to a specific provider, secret type, or secrets that bypassed push protection (enterprise accounts only).

• is:open provider:azure to show only alerts for the token provider Azure.
• is:open secret-type:azure_ai_services_key,azure_cognitive_services_key to show only alerts for the tokens "azure_ai_services_key" and "azure_cognitive_services_key". See Supported secret scanning patterns.
• is:open props.BusinessPriority:Urgent to show only alerts for repositories where the custom property "BusinessPriority" has the value "Urgent". See 조직의 리포지토리에 대한 사용자 지정 속성 관리.

Launching a security campaign

When you create a code campaign, all the alerts are automatically submitted to GitHub Copilot Autofix to be processed as capacity allows. This ensures that suggestions for alerts found in pull requests aren't delayed by a new campaign. In most cases, you should find that all suggestions that can be created are ready within an hour. At busy times of day, or for particularly complex alerts, it will take longer.

How developers know a security campaign has started

The new campaign is shown in the sidebar of the "Security" tab for each repository included.

• Code campaigns: Anyone with write access to a repository included in the campaign is notified.
• Secret campaigns: Anyone with access to see the alert list view for a repository included in the campaign is notified.

For more information about the developer experience, see Fixing alerts in a security campaign.

How to increase engagement with the security campaign

The best way to increase engagement with a campaign is to publicize it to the teams you want to collaborate with to remediate alerts. For example, you might work with engineering managers to choose a quieter development period to run a series of security campaigns, each focused on a different type of alert, with associated training sessions. For more ideas, see 대규모 보안 경고 수정 모범 사례.

Editing security campaign details

You can edit the name, description, due date, and manager for a campaign.

1. GitHub에서 조직의 기본 페이지로 이동합니다.

2. 조직 이름에서 보안을 클릭합니다.

   

3. 왼쪽 사이드바에서 캠페인을 클릭합니다.

4. From the list of campaigns, click the name of the campaign to display the campaign tracking view.

5. In the campaign title row, click and select Edit campaign.

6. In the "Edit campaign" dialog make your changes and then click Save changes.

The changes are made immediately.

Closing, reopening and deleting security campaigns

There is a limit of 10 active campaigns. When a campaign is complete, or if you want to pause it, you should close it. You can still view all closed campaigns in the "Closed" campaign list, and you can reopen a closed campaign.

If you don't need to retain the campaign or its data, you can delete it.

Close a campaign

1. GitHub에서 조직의 기본 페이지로 이동합니다.

2. 조직 이름에서 보안을 클릭합니다.

   

3. 왼쪽 사이드바에서 캠페인을 클릭합니다.

4. To the right of the campaign you want to close, click , then select Close campaign.

Reopen a closed campaign

1. GitHub에서 조직의 기본 페이지로 이동합니다.

2. 조직 이름에서 보안을 클릭합니다.

   

3. 왼쪽 사이드바에서 캠페인을 클릭합니다.

4. Above the list of campaigns, click Closed to view the list of closed campaigns.

5. To the right of the campaign you want to reopen, click , then select Reopen campaign.

Delete a campaign

1. GitHub에서 조직의 기본 페이지로 이동합니다.

2. 조직 이름에서 보안을 클릭합니다.

   

3. 왼쪽 사이드바에서 캠페인을 클릭합니다.

4. To the right of the campaign you want to delete, click , then select Delete campaign.

Next steps

• Tracking security campaigns