Note
Security campaigns are currently in public preview and subject to change.
What is a security campaign
A security campaign is a group of security alerts, detected in the default branches of repositories, chosen by an organization owner or security manager for remediation. When a security campaign is created with alerts in repositories that you have write access to, you are notified if you subscribe to email notifications for "All activity" or "Security alerts". In addition, when you open the Security tab for a repository with one or more campaign alerts, you can see the campaign name in the sidebar of the view.
You can take part in a security campaign by fixing one or more of the alerts chosen for the campaign.
What are the benefits of fixing alerts in a campaign
In addition to the benefit of removing an important security problem from your code, alerts in a security campaign have several other benefits compared with fixing another alert in your repository.
- You have a contact on the security team to collaborate with.
- You know that you are fixing a security alert that is important to the company.
- Potentially, you may have access to targeted training materials.
- You don't need to request a GitHub Copilot Autofix suggestion, it is already available as a starting point.
- If you have access to GitHub Copilot Chat, you can ask questions about the alert and the suggested fix.
- You are improving and demonstrating your knowledge of secure coding.
Viewing alerts in a security campaign
When a campaign targets security alerts in a repository that you have write access to, you can navigate to the list of repository alerts in the campaign.
- Display the Security tab for the repository and click one of the campaigns under the "Campaigns" title in the sidebar.
- If you have enabled email notifications for "All activity" or "Security alerts" in the repository, click View security campaign in the campaign email.
- If you have write access to more than one repository in the organization, display the Security tab for the organization and click one of the campaigns under the "Campaigns" title in the sidebar.
This view shows the alerts in the current repository for a campaign called "SQL injection (CWE-89)" (highlighted gray) that is managed by "octocat" (outlined in dark orange).
Fixing alerts in a security campaign
If you want to see the code that triggered the security alert and the suggested fix, click on the alert name to show the alert view.
-
When you are ready to work on one or more security alerts, check that no one else is working on those alerts already. In the campaign view, git icons are displayed on alerts where a fix may already be in progress. Click an icon to display the linked work:
- an open draft pull request may fix this alert.
- an open pull request may fix this alert.
- a branch may contain changes to fix this alert.
-
In the campaign view for the repository, select the alerts that you want to fix.
-
Connect the security alerts to a working branch:
- If at least one "Autofix" suggestion is available for the selected alerts, click Commit autofix and commit the changes either to a new branch or to an existing branch.
- If no autofix suggestions are available for the selected alerts, click Create new branch to create a new branch where you will work on fixing the alerts.
-
When you have finished fixing the alerts and testing your solutions, create a pull request for your changes and request a review from the campaign manager.
Tip
If you have write permission for more than one repository in the campaign, click the link in the "Campaign progress" box in your repository to show the organization-level view of the campaign. When you open a repository from this view, the campaign alerts view is displayed.
Using GitHub Copilot Chat for secure coding
If you have access to Copilot Chat then you can ask the AI questions about the vulnerability, the suggested fix, and how to test that the fix is comprehensive.
To get the most out of Copilot Chat when you're working on code security, you should consider:
- Indexing your repositories to give Copilot Chat more context to answer questions about the repository code, see Indexing repositories for Copilot Chat.
- Explicitly asking Copilot Chat to use the GitHub Advanced Security skill to answer your questions, for example: "Use the GitHub Advanced Security skill to explain how this alert introduces a vulnerability into the code."