From db4ba65a69fad69f5b41f2e9bbb47de26ac4c869 Mon Sep 17 00:00:00 2001 From: "well-architected-sync-bot[bot]" <235114805+well-architected-sync-bot[bot]@users.noreply.github.com> Date: Tue, 5 May 2026 19:29:26 +0000 Subject: [PATCH] Sync from github/github-well-architected-internal (main) Source Repository: github/github-well-architected-internal Source Branch: main Source SHA: e4bd92459350722baddb6c85e25114fe52509dab --- CONTRIBUTING.md | 2 +- .../recommendations/securing-developer-workspace.md | 2 +- .../managing-repositories-at-scale/rulesets-best-practices.md | 2 +- content/library/productivity/quick-links.md | 2 +- content/library/scenarios/nist-ssdf-implementation.md | 2 +- 5 files changed, 5 insertions(+), 5 deletions(-) diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 974cbc1..a65386f 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -411,7 +411,7 @@ See [Framework Overview] for details on each pillar. - Keep sentences **short and clear** - Avoid unnecessary jargon - Include practical examples -- Prefer GitHub Docs links to **Enterprise Cloud**: `https://docs.github.com/en/enterprise-cloud@latest` (unless the guidance is specific to GitHub Enterprise Server) +- Prefer GitHub Docs links to **Enterprise Cloud**: `https://docs.github.com/enterprise-cloud@latest` (unless the guidance is specific to GitHub Enterprise Server) - Use Hugo shortcodes to keep articles consistent (see `archetypes/default.md`): - Further assistance: `{{% seeking-further-assistance-details %}}` - Related links: `{{% related-links-github-docs %}}` diff --git a/content/library/application-security/recommendations/securing-developer-workspace.md b/content/library/application-security/recommendations/securing-developer-workspace.md index b24b4fc..260715f 100644 --- a/content/library/application-security/recommendations/securing-developer-workspace.md +++ b/content/library/application-security/recommendations/securing-developer-workspace.md @@ -142,7 +142,7 @@ In addition to the development container best practices above, Codespaces enviro Third-party dependencies can introduce vulnerabilities into the development environment and the software supply chain. In fact, they are a leading cause of security incidents. It is essential to manage these dependencies carefully to minimize risk. This means reviewing and securing dependencies coming from package managers (like npm, PyPI, Maven, and NuGet), registries (which provide OCI images, Helm charts, and dev container features), OS-level packages (like apt, yum, and apk), and other sources. -- **Keep dependencies up to date**. Regularly update third-party libraries and packages to incorporate security patches and improvements. Use dependency management tools, such as [Dependabot](https://docs.github.com/en/enterprise-cloud@latest/dependabot), to automatically check for updates and vulnerabilities. When a new version is released, review the changelog for security-related fixes before updating. Prefer manual updates over automatic updates to ensure that changes are reviewed. Avoid mutable references. +- **Keep dependencies up to date**. Regularly update third-party libraries and packages to incorporate security patches and improvements. Use dependency management tools, such as [Dependabot](https://docs.github.com/en/enterprise-cloud@latest/code-security/getting-started/dependabot-quickstart-guide), to automatically check for updates and vulnerabilities. When a new version is released, review the changelog for security-related fixes before updating. Prefer manual updates over automatic updates to ensure that changes are reviewed. Avoid mutable references. - **Eliminate insecure packages**. Remove or replace packages that are no longer maintained or have known security issues. Vulnerabilities on developer machines can provide access to corporate networks, source code, and other sensitive resources. Use tools like Dependabot to identify and remediate vulnerable and outdated dependencies. Remember that multiple low- and medium-severity vulnerabilities will create a larger attack surface, creating new high- and critical-severity vulnerabilities; avoid accumulating these over time. - **Review all dependencies**. Before adding a new dependency, review its source code, documentation, and community reputation. Look for signs of active maintenance. Avoid packages with excessive permissions or those that execute code during installation without explicit user consent. Continuously review existing dependencies for security risks and remove any that are unnecessary. - **Restrict automatic code execution during package installation**. Configure package managers to block or prompt for confirmation before executing scripts during dependency installation. This prevents malicious code from running without developer awareness. For example, configure `ignore-scripts=true` in an `.npmrc` file to prevent `npm` from running lifecycle scripts by default. Placing this configuration in the project ensures that this setting applies to everyone that works with the code. In addition, creating this file at the user level (`$HOME/.npmrc` or `%USERPROFILE%\.npmrc`) ensures that you do not automatically run scripts when you restore a project that lacks this configuration. An easy way to apply user-level personalization is to use a [dotfiles](https://dotfiles.github.io/) repository to configure your development machine, [local dev containers](https://code.visualstudio.com/docs/devcontainers/containers#_personalizing-with-dotfile-repositories), or [Codespaces](https://docs.github.com/en/codespaces/setting-your-user-preferences/personalizing-github-codespaces-for-your-account#dotfiles). This ensures that your preferred settings are automatically and consistently applied to each development environment. diff --git a/content/library/governance/recommendations/managing-repositories-at-scale/rulesets-best-practices.md b/content/library/governance/recommendations/managing-repositories-at-scale/rulesets-best-practices.md index 064c130..2c9d307 100644 --- a/content/library/governance/recommendations/managing-repositories-at-scale/rulesets-best-practices.md +++ b/content/library/governance/recommendations/managing-repositories-at-scale/rulesets-best-practices.md @@ -109,7 +109,7 @@ Enterprises need consistent, enforceable guardrails for how code enters, evolves - Grant bypass only to roles/teams with clear break-glass standard operating procedures. - Monitor bypass exceptions via the audit log, [REST API](https://docs.github.com/enterprise-cloud@latest/rest/repos/bypass-requests), webhooks, or the native [rule insights](https://docs.github.com/enterprise-cloud@latest/organizations/managing-organization-settings/managing-rulesets-for-repositories-in-your-organization#viewing-insights-for-rulesets) dashboard; look for patterns indicating a need to adjust rules. 6. Change management & versioning - - [Rulesest history](https://docs.github.com/enterprise-cloud@latest/organizations/managing-organization-settings/managing-rulesets-for-repositories-in-your-organization#using-ruleset-history) is retained for 180 days; you can view all the changes to a ruleset and revert back to a specific iteration. + - [Rulesets history](https://docs.github.com/enterprise-cloud@latest/organizations/managing-organization-settings/managing-rulesets-for-repositories-in-your-organization#using-ruleset-history) is retained for 180 days; you can view all the changes to a ruleset and revert back to a specific iteration. 7. Measurement & feedback - Metrics: % repos covered per tier, # blocked events by rule, mean time to remediate violation patterns, bypass frequency. - Use rule insights to adjust high-friction rules. diff --git a/content/library/productivity/quick-links.md b/content/library/productivity/quick-links.md index 8a1ceee..16e512c 100644 --- a/content/library/productivity/quick-links.md +++ b/content/library/productivity/quick-links.md @@ -3,7 +3,7 @@ # SPDX-License-Identifier: MIT title: Quick Links weight: 1 -prev: library/productivity/introduction +prev: library/productivity next: library/productivity/design-principles --- diff --git a/content/library/scenarios/nist-ssdf-implementation.md b/content/library/scenarios/nist-ssdf-implementation.md index 83d85e3..6cf9aab 100644 --- a/content/library/scenarios/nist-ssdf-implementation.md +++ b/content/library/scenarios/nist-ssdf-implementation.md @@ -845,7 +845,7 @@ jobs: 1. **Security alerts**: Review and triage alerts in the Security tab 2. **Dependabot security updates**: Automatically generate PRs for dependency updates 3. **Repository custom properties**: Use [custom properties](https://docs.github.com/enterprise-cloud@latest/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization) to classify repositories by business criticality, enabling risk-based prioritization of alerts -4. **Security campaigns**: Use [security campaigns](https://docs.github.com/enterprise-cloud@latest/code-security/securing-your-organization/tracking-security-work-across-your-organization/about-security-campaigns) to prioritize and coordinate remediation of specific alert types across repositories +4. **Security campaigns**: Use [security campaigns](https://docs.github.com/enterprise-cloud@latest/code-security/securing-your-organization/fixing-security-alerts-at-scale) to prioritize and coordinate remediation of specific alert types across repositories 5. **Copilot Autofix**: Use [Copilot Autofix](https://docs.github.com/enterprise-cloud@latest/code-security/code-scanning/managing-code-scanning-alerts/about-autofix-for-codeql-code-scanning) to automatically generate fix suggestions for vulnerabilities identified by CodeQL {{< callout type="info" >}}