Require an approving review in pull requests that modify files that have a designated code owner.
",
diff --git a/src/graphql/data/ghec/schema.docs.graphql b/src/graphql/data/ghec/schema.docs.graphql
index 0899afab7911..1302ecf172f0 100644
--- a/src/graphql/data/ghec/schema.docs.graphql
+++ b/src/graphql/data/ghec/schema.docs.graphql
@@ -376,9 +376,9 @@ input AddAssigneesToAssignableInput {
assignableId: ID! @possibleTypes(concreteTypes: ["Issue", "PullRequest"], abstractType: "Assignable")
"""
- The ids of actors (users or bots) to add as assignees.
+ The ids of actors (users or bots) to add as assignees. Mutually exclusive with `assignees`.
"""
- assigneeIds: [ID!]!
+ assigneeIds: [ID!]
@possibleTypes(
concreteTypes: ["Bot", "EnterpriseUserAccount", "Mannequin", "Organization", "User"]
abstractType: "Actor"
@@ -13559,6 +13559,36 @@ type DismissRepositoryVulnerabilityAlertPayload {
repositoryVulnerabilityAlert: RepositoryVulnerabilityAlert
}
+"""
+Specify people, teams, or apps allowed to dismiss pull request reviews.
+"""
+type DismissalRestriction @docsCategory(name: "pulls") {
+ """
+ Specify people, teams, or apps allowed to dismiss pull request reviews.
+ """
+ allowedActors: [ID!]
+
+ """
+ Whether to restrict review dismissal to specific actors.
+ """
+ enabled: Boolean!
+}
+
+"""
+Specify people, teams, or apps allowed to dismiss pull request reviews.
+"""
+input DismissalRestrictionInput @docsCategory(name: "pulls") {
+ """
+ Specify people, teams, or apps allowed to dismiss pull request reviews.
+ """
+ allowedActors: [ID!]
+
+ """
+ Whether to restrict review dismissal to specific actors.
+ """
+ enabled: Boolean!
+}
+
"""
A draft issue within a project.
"""
@@ -44339,6 +44369,11 @@ type PullRequestParameters @docsCategory(name: "pulls") {
"""
dismissStaleReviewsOnPush: Boolean!
+ """
+ Specify people, teams, or apps allowed to dismiss pull request reviews.
+ """
+ dismissalRestriction: DismissalRestriction
+
"""
Require an approving review in pull requests that modify files that have a designated code owner.
"""
@@ -44382,6 +44417,11 @@ input PullRequestParametersInput @docsCategory(name: "pulls") {
"""
dismissStaleReviewsOnPush: Boolean!
+ """
+ Specify people, teams, or apps allowed to dismiss pull request reviews.
+ """
+ dismissalRestriction: DismissalRestrictionInput
+
"""
Require an approving review in pull requests that modify files that have a designated code owner.
"""
From c82f7d2d324b4f33da4342ecce34b06ffe41991b Mon Sep 17 00:00:00 2001
From: Kevin Heis
Date: Wed, 8 Jul 2026 09:59:18 -0700
Subject: [PATCH 2/7] Handle top-level array REST request bodies in gh CLI code
samples (#62191)
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---
src/rest/components/get-rest-code-samples.ts | 20 +++---
src/rest/components/types.ts | 7 +-
src/rest/tests/get-rest-code-samples-2.ts | 30 +++++++++
src/rest/tests/get-rest-code-samples.ts | 69 ++++++++++++++++++++
4 files changed, 115 insertions(+), 11 deletions(-)
diff --git a/src/rest/components/get-rest-code-samples.ts b/src/rest/components/get-rest-code-samples.ts
index 7213f7d4410e..455a61433dd4 100644
--- a/src/rest/components/get-rest-code-samples.ts
+++ b/src/rest/components/get-rest-code-samples.ts
@@ -200,18 +200,16 @@ export function getGHExample(
// and the type is a string.
const { bodyParameters } = codeSample.request
if (bodyParameters) {
- // There should not be a case in a REST API where only an array is sent
- if (Array.isArray(bodyParameters)) {
- throw new Error('Array of arrays found in body parameters')
- }
-
if (typeof bodyParameters === 'object') {
// Special handling for gist endpoints - use --input for nested file structures
const isGistEndpoint =
+ !Array.isArray(bodyParameters) &&
operation.requestPath.includes('/gists') &&
(operation.title === 'Create a gist' || operation.title === 'Update a gist')
- // For complex objects with arrays, use --input with JSON
+ // For top-level arrays or complex objects with arrays, use --input with JSON.
+ // The gh CLI -f/-F flags can't represent a request body that is itself an array,
+ // so we fall back to piping the JSON body via --input.
const hasArrays = hasNestedArrays(bodyParameters as NestedObjectParameter)
if (hasArrays || isGistEndpoint) {
const jsonBody = JSON.stringify(
@@ -233,7 +231,7 @@ export function getGHExample(
requestBodyParams += handleObjectParameter(bodyParameters as NestedObjectParameter)
}
} else {
- requestBodyParams += handleSingleParameter('', bodyParameters)
+ requestBodyParams += handleSingleParameter('', bodyParameters as NestedObjectParameter)
}
}
@@ -388,11 +386,13 @@ export function getJSExample(
if (codeSample.request) {
Object.assign(parameters, codeSample.request.parameters)
// Most of the time the example body parameters have a name and value
- // and are included in an object. But, some cases are a single value
- // and the type is a string.
+ // and are included in an object. But some cases are a single scalar value
+ // or a top-level JSON array, both of which Octokit sends as the raw
+ // request body via the `data` option.
if (
codeSample.request.bodyParameters &&
- typeof codeSample.request.bodyParameters !== 'object'
+ (typeof codeSample.request.bodyParameters !== 'object' ||
+ Array.isArray(codeSample.request.bodyParameters))
) {
parameters.data = codeSample.request.bodyParameters
} else {
diff --git a/src/rest/components/types.ts b/src/rest/components/types.ts
index 3833a096dfed..3ff2cbc3a910 100644
--- a/src/rest/components/types.ts
+++ b/src/rest/components/types.ts
@@ -51,7 +51,12 @@ export interface CodeSample {
request: {
contentType: string
acceptHeader: string
- bodyParameters: Record>
+ // Most request bodies are an object of named parameters, but some REST
+ // operations take a single scalar value or a top-level JSON array.
+ bodyParameters:
+ | Record>
+ | Array
+ | string
parameters: Record
description: string
}
diff --git a/src/rest/tests/get-rest-code-samples-2.ts b/src/rest/tests/get-rest-code-samples-2.ts
index 26b9d92392b4..7aa265003a1d 100644
--- a/src/rest/tests/get-rest-code-samples-2.ts
+++ b/src/rest/tests/get-rest-code-samples-2.ts
@@ -447,6 +447,36 @@ describe('REST code samples authentication header handling', () => {
expect(result).toContain("await octokit.request('POST /credentials/revo")
expect(result).toContain("'X-GitHub-Api-Version': '2022-11-28'")
})
+
+ test('sends a top-level array body via the data option', () => {
+ const arrayBodyCodeSample: CodeSample = {
+ request: {
+ contentType: 'application/json',
+ description: 'Example',
+ acceptHeader: 'application/vnd.github+json',
+ bodyParameters: [{ id: 'MVS-2026-001', summary: 'Example summary' }],
+ parameters: {},
+ },
+ response: {
+ statusCode: '200',
+ contentType: 'application/json',
+ description: 'Response',
+ example: {},
+ },
+ }
+
+ const result = getJSExample(
+ standardOperation,
+ arrayBodyCodeSample,
+ 'free-pro-team@latest',
+ mockVersions,
+ )
+
+ // The array must be nested under `data`, not spread as numeric keys ("0", "1").
+ expect(result).toContain('data: [')
+ expect(result).toContain("id: 'MVS-2026-001'")
+ expect(result).not.toMatch(/["']0["']\s*:/)
+ })
})
describe('edge cases and special scenarios', () => {
diff --git a/src/rest/tests/get-rest-code-samples.ts b/src/rest/tests/get-rest-code-samples.ts
index 65ec61f02610..309729a2f829 100644
--- a/src/rest/tests/get-rest-code-samples.ts
+++ b/src/rest/tests/get-rest-code-samples.ts
@@ -229,4 +229,73 @@ describe('getGHExample - GitHub CLI code generation', () => {
expect(result).toContain('"tag2"')
expect(result).toContain('"tag3"')
})
+
+ test('handles a top-level array body via --input', () => {
+ const operation: Operation = {
+ serverUrl: 'https://api.github.com',
+ verb: 'post',
+ requestPath: '/enterprises/{enterprise}/innersource-vulnerabilities/sync',
+ title: 'Sync InnerSource vulnerabilities',
+ descriptionHTML: '
Sync vulnerabilities
',
+ previews: [],
+ statusCodes: [],
+ bodyParameters: [],
+ category: 'enterprise-admin',
+ subcategory: 'security-advisories',
+ parameters: [
+ {
+ name: 'enterprise',
+ in: 'path',
+ required: true,
+ description: 'The enterprise slug',
+ schema: { type: 'string' },
+ },
+ ],
+ codeExamples: [],
+ progAccess: {
+ permissions: [],
+ userToServerRest: true,
+ serverToServer: true,
+ fineGrainedPat: true,
+ },
+ }
+
+ const codeSample: CodeSample = {
+ request: {
+ contentType: 'application/json',
+ description: 'Example',
+ acceptHeader: 'application/vnd.github+json',
+ bodyParameters: [
+ {
+ id: 'MVS-2026-001',
+ summary: 'Example vulnerability summary',
+ aliases: ['GHSA-xxxx-xxxx-xxxx'],
+ },
+ ],
+ parameters: { enterprise: 'octo-enterprise' },
+ },
+ response: {
+ statusCode: '200',
+ contentType: 'application/json',
+ description: 'Response',
+ example: {},
+ },
+ }
+
+ const currentVersion = 'enterprise-cloud@latest'
+ const allVersions: Record = {
+ 'enterprise-cloud@latest': {
+ version: 'enterprise-cloud@latest',
+ versionTitle: 'Enterprise Cloud',
+ apiVersions: ['2022-11-28'],
+ latestApiVersion: '2022-11-28',
+ },
+ }
+
+ const result = getGHExample(operation, codeSample, currentVersion, allVersions)
+
+ expect(result).toContain('--input - <<<')
+ expect(result).toContain('"MVS-2026-001"')
+ expect(result).toContain('"GHSA-xxxx-xxxx-xxxx"')
+ })
})
From 7ed8824bb9b4da1dc566b01d8c4e46d66aa3a0af Mon Sep 17 00:00:00 2001
From: Eric Sorenson
Date: Wed, 8 Jul 2026 11:40:50 -0700
Subject: [PATCH 3/7] Add documentation for Innersource Advisories (#61561)
Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
Co-authored-by: mc <42146119+mchammer01@users.noreply.github.com>
Co-authored-by: grconm <167924715+grconm@users.noreply.github.com>
---
.../dependabot-alerts.md | 12 +-
.../github-advisory-database.md | 24 +-
.../index.md | 1 +
.../innersource-advisories.md | 30 +++
.../secure-your-dependencies/index.md | 1 +
.../manage-innersource-advisories.md | 235 ++++++++++++++++++
.../repositories/a-vulnerability-is.md | 1 -
7 files changed, 290 insertions(+), 14 deletions(-)
create mode 100644 content/code-security/concepts/vulnerability-reporting-and-management/innersource-advisories.md
create mode 100644 content/code-security/how-tos/secure-your-supply-chain/secure-your-dependencies/manage-innersource-advisories.md
delete mode 100644 data/reusables/repositories/a-vulnerability-is.md
diff --git a/content/code-security/concepts/supply-chain-security/dependabot-alerts.md b/content/code-security/concepts/supply-chain-security/dependabot-alerts.md
index 7bbedb59776f..bbd448feafdd 100644
--- a/content/code-security/concepts/supply-chain-security/dependabot-alerts.md
+++ b/content/code-security/concepts/supply-chain-security/dependabot-alerts.md
@@ -28,7 +28,8 @@ Software often relies on packages from various sources, creating dependency rela
{% ifversion fpt or ghec %}
* A new vulnerability is added to the {% data variables.product.prodname_advisory_database %}{% else %}
-* New advisory data is synchronized to {% data variables.product.prodname_dotcom %} each hour from {% data variables.product.prodname_dotcom_the_website %}. {% data reusables.security-advisory.link-browsing-advisory-db %}{% endif %}
+* New advisory data is synchronized to {% data variables.product.prodname_dotcom %} each hour from {% data variables.product.prodname_dotcom_the_website %}. {% data reusables.security-advisory.link-browsing-advisory-db %}{% endif %}{% ifversion ghec %}
+* Your enterprise publishes an innersource advisory for a component you depend on. For more information, see [AUTOTITLE](/code-security/concepts/vulnerability-reporting-and-management/innersource-advisories).{% endif %}
* Your dependency graph changes—for example, when you push commits that update packages or versions
For supported ecosystems, see [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/dependency-graph-supported-package-ecosystems#supported-package-ecosystems).
@@ -41,7 +42,9 @@ When {% data variables.product.github %} detects a vulnerable dependency, a {% d
* Details about the vulnerability and its severity
* Information about a fixed version (when available)
-For information about viewing and managing alerts, see [AUTOTITLE](/code-security/dependabot/dependabot-alerts/viewing-and-updating-dependabot-alerts).
+{% ifversion ghec %}Alerts generated from an innersource advisory carry a distinct "Innersource" label, distinguishing them from alerts based on public advisories.
+
+{% endif %}For information about viewing and managing alerts, see [AUTOTITLE](/code-security/dependabot/dependabot-alerts/viewing-and-updating-dependabot-alerts).
## Who can enable alerts?
@@ -102,7 +105,7 @@ Alternatively, you can opt into the weekly email digest, or even completely turn
* Alerts can't catch every security issue. Always review your dependencies and keep manifest and lock files up to date for accurate detection.
* New vulnerabilities may take time to appear in the {% data variables.product.prodname_advisory_database %} and trigger alerts.
-* Only advisories reviewed by {% data variables.product.github %} trigger alerts.
+* Only advisories reviewed by {% data variables.product.github %}{% ifversion ghec %} or published by your enterprise as innersource advisories{% endif %} trigger alerts.
* {% data variables.product.prodname_dependabot %} doesn't scan archived repositories.{% ifversion dependabot-malware-alerts %}{% else %}
* {% data variables.product.prodname_dependabot %} doesn't generate alerts for malware.{% endif %}
* {% data reusables.dependabot.dependabot-alert-actions-semver %}
@@ -120,7 +123,8 @@ With a {% data variables.copilot.copilot_enterprise %} license, you can ask {% d
## Further reading
{% ifversion dependabot-malware-alerts %}
-* [AUTOTITLE](/code-security/concepts/supply-chain-security/dependabot-malware-alerts){% endif %}
+* [AUTOTITLE](/code-security/concepts/supply-chain-security/dependabot-malware-alerts){% endif %}{% ifversion ghec %}
+* [AUTOTITLE](/code-security/concepts/vulnerability-reporting-and-management/innersource-advisories){% endif %}
* [AUTOTITLE](/code-security/dependabot/dependabot-alerts/viewing-and-updating-dependabot-alerts)
* [AUTOTITLE](/code-security/dependabot/dependabot-security-updates/about-dependabot-security-updates)
* [AUTOTITLE](/code-security/getting-started/auditing-security-alerts)
diff --git a/content/code-security/concepts/vulnerability-reporting-and-management/github-advisory-database.md b/content/code-security/concepts/vulnerability-reporting-and-management/github-advisory-database.md
index 3576365801ce..8e27f99f1219 100644
--- a/content/code-security/concepts/vulnerability-reporting-and-management/github-advisory-database.md
+++ b/content/code-security/concepts/vulnerability-reporting-and-management/github-advisory-database.md
@@ -1,6 +1,6 @@
---
title: GitHub Advisory database
-intro: 'The {% data variables.product.prodname_advisory_database %} contains a list of known security vulnerabilities and malware, grouped in three categories: {% data variables.product.company_short %}-reviewed advisories, unreviewed advisories, and malware advisories.'
+intro: 'Research known security vulnerabilities and malware in open source packages, so you can understand and remediate the risks in your dependencies.'
versions:
fpt: '*'
ghec: '*'
@@ -17,19 +17,25 @@ category:
## About the {% data variables.product.prodname_advisory_database %}
-{% data reusables.repositories.tracks-vulnerabilities %}
-
Security advisories are published as JSON files in the Open Source Vulnerability (OSV) format. For more information about the OSV format, see [Open Source Vulnerability format](https://ossf.github.io/osv-schema/).
## Types of security advisories
-Each advisory in the {% data variables.product.prodname_advisory_database %} is for a vulnerability in open source projects or for malicious open source software.
+Each advisory in the {% data variables.product.prodname_advisory_database %} relates to a specific security problem in a software component. These problems come in several varieties.
+
+A vulnerability is a problem in a project's code that could be exploited to damage the confidentiality, integrity, or availability of the project or other projects that use it. Vulnerabilities in code are usually introduced by accident and fixed soon after they are discovered. Vulnerability advisories contain information about the range of released package versions where the problem exists, and the earliest version where the problem was fixed. This helps downstream users of the software address the vulnerability by updating their dependencies to use a fixed version as soon as it is available.
+
+In contrast, malicious software, or malware, is code that is intentionally designed to perform unwanted or harmful functions. The malware may target hardware, software, confidential data, or users of any application that uses the malware. You need to remove the malware from your project and find an alternative, more secure replacement for the dependency. Malware alerts do not contain a fix version, because the defining characteristic of a malware alert is that there are no safe versions—the only safe course of action is not to use the package at all.
-{% data reusables.repositories.a-vulnerability-is %} Vulnerabilities in code are usually introduced by accident and fixed soon after they are discovered. You should update your code to use the fixed version of the dependency as soon as it is available.
+{% ifversion ghec %}
-In contrast, malicious software, or malware, is code that is intentionally designed to perform unwanted or harmful functions. The malware may target hardware, software, confidential data, or users of any application that uses the malware. You need to remove the malware from your project and find an alternative, more secure replacement for the dependency.
+Both of these advisory types are public information about open source packages. Users with {% data variables.product.prodname_GH_code_security %} or {% data variables.product.prodname_GHAS %} can also create innersource advisories, which restrict visibility to just their organization or enterprise. Innersource advisories use the same OSV format as public advisories but can be associated with either public or internal, private projects. This allows enterprises to use the familiar {% data variables.product.prodname_dependabot %} alert and update features to provide fixes to internal software consumers. For more information about innersource advisories, see [AUTOTITLE](/code-security/concepts/vulnerability-reporting-and-management/innersource-advisories).
-### {% data variables.product.company_short %}-reviewed advisories
+{% endif %}
+
+### {% data variables.product.company_short %}-reviewed vulnerability advisories
+
+{% data reusables.repositories.tracks-vulnerabilities %}
{% data reusables.advisory-database.github-reviewed-overview %}
@@ -52,7 +58,7 @@ If you have a suggestion for a new ecosystem we should support, please open an [
If you enable {% data variables.product.prodname_dependabot_alerts %} for your repositories, you are automatically notified when a new {% data variables.product.company_short %}-reviewed advisory reports a vulnerability for a package you depend on. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-alerts/about-dependabot-alerts).
-### Unreviewed advisories
+### Unreviewed vulnerability advisories
{% data reusables.advisory-database.unreviewed-overview %}
@@ -64,7 +70,7 @@ If you enable {% data variables.product.prodname_dependabot_alerts %} for your r
{% data variables.product.prodname_dependabot %} doesn't generate alerts when malware is detected as most of the vulnerabilities cannot be resolved by downstream users. You can view malware advisories by searching for `type:malware` in the {% data variables.product.prodname_advisory_database %}.
-Our malware advisories are mostly about substitution attacks. During this type of attack, an attacker publishes a package to the public registry with the same name as a dependency that users rely on from a third party or private registry, with the hope that the malicious version is consumed. {% data variables.product.prodname_dependabot %} doesn’t look at project configurations to determine if the packages are coming from a private registry, so we aren't sure if you're using the malicious version or a non-malicious version. Users who have their dependencies appropriately scoped should not be affected by malware.
+Our malware advisories are mostly about substitution attacks. During this type of attack, an attacker publishes a package to the public registry with the same name as a dependency that users rely on from a third party or private registry, with the hope that the malicious version is consumed. {% data variables.product.prodname_dependabot %} doesn't look at project configurations to determine if the packages are coming from a private registry, so we can't determine whether you're using the malicious version or a non-malicious version that has the same name. Users who have their dependencies appropriately scoped should not be affected by malware.
## Information in security advisories
diff --git a/content/code-security/concepts/vulnerability-reporting-and-management/index.md b/content/code-security/concepts/vulnerability-reporting-and-management/index.md
index 96e4c138a7c3..c2ead6f7851c 100644
--- a/content/code-security/concepts/vulnerability-reporting-and-management/index.md
+++ b/content/code-security/concepts/vulnerability-reporting-and-management/index.md
@@ -8,6 +8,7 @@ versions:
contentType: concepts
children:
- /github-advisory-database
+ - /innersource-advisories
- /repository-security-advisories
- /global-security-advisories
- /coordinated-disclosure
diff --git a/content/code-security/concepts/vulnerability-reporting-and-management/innersource-advisories.md b/content/code-security/concepts/vulnerability-reporting-and-management/innersource-advisories.md
new file mode 100644
index 000000000000..9d69f3b07a2c
--- /dev/null
+++ b/content/code-security/concepts/vulnerability-reporting-and-management/innersource-advisories.md
@@ -0,0 +1,30 @@
+---
+title: Innersource advisories
+shortTitle: Innersource advisories
+intro: Enterprises can alert their internal repositories to vulnerabilities and ship automated fixes with {% data variables.product.prodname_dependabot %}, using advisories that stay private to a single enterprise.
+versions:
+ fpt: '*'
+ ghec: '*'
+contentType: concepts
+category:
+ - Secure your dependencies
+---
+
+## About innersource advisories
+
+The {% data variables.product.prodname_advisory_database %} provides a centralized source of alert information for security vulnerabilities. When an advisory about a vulnerable open source component is published, {% data variables.product.prodname_dependabot %} uses {% data variables.product.company_short %}'s dependency graph to find repositories that are using that component, then sends alerts and pull requests to notify the repository's owners and update the affected code to a newer version that fixes the vulnerability.
+
+Enterprises can use the same mechanism to create alerts and send updates about internally discovered vulnerabilities. Innersource advisories use a similar Open Source Vulnerability (OSV) data format to public advisories, but are not publicly visible. They are scoped to a single enterprise and therefore only propagate alerts to repositories inside that enterprise. The subject of an innersource advisory can be either an internal or open source component, enabling enterprises to push fixes independent of public disclosure and alerting.
+
+## Who can create innersource advisories
+
+Innersource advisories can only be created in enterprises that have an active {% data variables.product.prodname_GH_code_security %} or {% data variables.product.prodname_GHAS %} license. If your license expires or {% data variables.product.prodname_GH_code_security %} is disabled, advisories will no longer be visible and will not propagate alerts. However, the underlying data will not be deleted, and re-activating the license will restore any pre-existing advisories.
+
+## Limitations of innersource advisories
+
+* Currently, advisories can only be scoped to an entire enterprise. You cannot target individual organizations or groups of organizations inside the enterprise.
+* Each enterprise is limited to 2,000 active advisories. Attempts to create new advisories once that limit is reached will result in an error. If you reach this limit, you can withdraw old or outdated advisories. See [AUTOTITLE](/code-security/how-tos/secure-your-supply-chain/secure-your-dependencies/manage-innersource-advisories#withdrawing-innersource-advisories).
+
+## Next steps
+
+To create, distribute, and withdraw innersource advisories, see [AUTOTITLE](/code-security/how-tos/secure-your-supply-chain/secure-your-dependencies/manage-innersource-advisories).
diff --git a/content/code-security/how-tos/secure-your-supply-chain/secure-your-dependencies/index.md b/content/code-security/how-tos/secure-your-supply-chain/secure-your-dependencies/index.md
index cfb8439900db..c1f2d1b760bb 100644
--- a/content/code-security/how-tos/secure-your-supply-chain/secure-your-dependencies/index.md
+++ b/content/code-security/how-tos/secure-your-supply-chain/secure-your-dependencies/index.md
@@ -12,6 +12,7 @@ children:
- /configure-malware-alerts
- /configure-security-updates
- /configure-version-updates
+ - /manage-innersource-advisories
- /auto-update-actions
- /configuring-multi-ecosystem-updates
- /enable-dependency-graph
diff --git a/content/code-security/how-tos/secure-your-supply-chain/secure-your-dependencies/manage-innersource-advisories.md b/content/code-security/how-tos/secure-your-supply-chain/secure-your-dependencies/manage-innersource-advisories.md
new file mode 100644
index 000000000000..62fa6a5c713f
--- /dev/null
+++ b/content/code-security/how-tos/secure-your-supply-chain/secure-your-dependencies/manage-innersource-advisories.md
@@ -0,0 +1,235 @@
+---
+title: Managing innersource advisories
+shortTitle: Manage innersource advisories
+intro: Create, distribute, and withdraw enterprise-scoped advisories to alert your internal repositories to vulnerabilities and ship fixes automatically.
+versions:
+ fpt: '*'
+ ghec: '*'
+contentType: how-tos
+category:
+ - Secure your dependencies
+---
+
+For background on how innersource advisories work and who can create them, see [AUTOTITLE](/code-security/concepts/vulnerability-reporting-and-management/innersource-advisories).
+
+## Prerequisites
+
+Innersource advisories can only be created in enterprises with an active {% data variables.product.prodname_GH_code_security %} or {% data variables.product.prodname_GHAS %} license.
+
+## Creating innersource advisories
+
+To create an innersource advisory:
+
+1. Create and install a {% data variables.product.prodname_github_app %} with the `enterprise_innersource_vulnerabilities` permission.
+1. Generate a token associated with the app that has `write` access to this permission.
+1. Create a description of the vulnerability using the OSV format, and `POST` it to the REST API endpoint `/enterprises/{enterprise}/innersource-vulnerabilities/sync`.
+
+Each of these steps is described in more detail below.
+
+### Step 1: Create a {% data variables.product.prodname_github_app %}
+
+Register a {% data variables.product.prodname_github_app %} that is owned by your enterprise, and grant it the `enterprise_innersource_vulnerabilities` permission with `read and write` access. See [AUTOTITLE](/apps/creating-github-apps/registering-a-github-app/registering-a-github-app).
+
+After registering the app, install it on your enterprise so that it can act on the enterprise's behalf.
+
+### Step 2: Generate an access token
+
+Authenticate as the {% data variables.product.prodname_github_app %} installation to generate an installation access token. This token carries the `enterprise_innersource_vulnerabilities` permission and is used to authenticate your requests to the REST API. See [AUTOTITLE](/apps/creating-github-apps/authenticating-with-a-github-app/generating-an-installation-access-token-for-a-github-app).
+
+### Step 3: Upload an advisory description
+
+Describe the vulnerability using the OSV format, then `POST` the payload to `/enterprises/{enterprise}/innersource-vulnerabilities/sync`, using the installation access token to authenticate. The payload identifies the affected package and the range of vulnerable versions. If a fixed version is available, include a `fixed` field with the version number so that {% data variables.product.prodname_dependabot %} can open pull requests to update affected repositories.
+
+For detailed information on the advisory schema, see [AUTOTITLE](/rest/enterprise-admin/security-advisories#sync-innersource-vulnerabilities-for-an-enterprise).
+
+## Using innersource advisories
+
+After you create an innersource advisory, repositories in the enterprise that use the affected component will receive alerts and updates.
+
+1. Ensure that the repositories in your enterprise have {% data variables.product.prodname_dependabot_alerts %} and updates enabled. You can enforce this at scale using a security configuration. See [AUTOTITLE](/code-security/how-tos/secure-at-scale/configure-organization-security/establish-complete-coverage/create-custom-configuration).
+1. Watch the dependent repositories' {% data variables.product.prodname_dependabot_alerts %} page for a new alert about the affected component. The alert will have a distinct "Innersource" label on it to distinguish it from open source advisory alerts.
+1. If your advisory payload included a `fixed` field with a version number that matches an available package, {% data variables.product.prodname_dependabot %} will also create a pull request that updates the package manager's manifest file. See [AUTOTITLE](/code-security/how-tos/secure-your-supply-chain/secure-your-dependencies/configure-version-updates).
+
+## Withdrawing innersource advisories
+
+When there are no more vulnerable versions of an affected component in use, or if an advisory is superseded, it can be helpful to withdraw it.
+
+To withdraw an advisory, use the same REST API endpoint as the creation step, but adjust the payload to include a `withdrawn` key, whose value is a `date-time` field indicating when the vulnerability was withdrawn.
+
+## OSV format support and limitations
+
+{% data variables.product.prodname_dotcom %} accepts vulnerabilities in the [Open Source Vulnerability (OSV) format](https://ossf.github.io/osv-schema/) through the innersource vulnerability sync API. While {% data variables.product.prodname_dotcom %} strives for compatibility with the OSV specification, there are differences between the standard OSV schema and what {% data variables.product.prodname_dotcom %} requires or supports.
+
+### Supported OSV schema version
+
+{% data variables.product.prodname_dotcom %} supports OSV schema versions compatible with `~> 1.0` (i.e., `1.0.0` through `1.x.x`). The recommended schema version is `1.4.0`.
+
+### Affected entry formatting
+
+The OSV specification allows a single `affected` entry to contain multiple `ranges` and multiple `versions` for the same package. {% data variables.product.prodname_dotcom %} normalizes these internally by splitting them into separate entries:
+
+| OSV standard | {% data variables.product.prodname_dotcom %} behavior |
+|---|---|
+| A single `affected` entry can contain multiple `ranges` | Accepted. Each range is processed as a separate vulnerable version range. |
+| A single `affected` entry can contain multiple `versions` | Accepted. Each version is treated as an exact match (`= x.y.z`) and processed as a separate vulnerable version range. |
+| A single `affected` entry can mix `ranges` and `versions` | Accepted. Ranges and versions are split into separate entries internally. |
+| A `SEMVER` range can contain multiple `introduced`/`fixed` pairs | Accepted. Multiple disjoint intervals (e.g., `[1.0.0, 1.0.2)` and `[3.0.0, 3.2.5)`) within a single range are supported. |
+
+### Supported range types
+
+| Range type | Support |
+|---|---|
+| `ECOSYSTEM` | **Fully supported.** Supports `introduced`, `fixed`, and `last_affected` events. |
+| `SEMVER` | **Fully supported.** Supports `introduced`, `fixed`, and `last_affected` events. The `last_affected` event is parsed as a `<=` upper-bound comparator. |
+| `GIT` | **Not supported.** Git commit-based ranges are not processed. |
+
+> [!NOTE]
+> - For `ECOSYSTEM` ranges, only one `introduced` and one `fixed` (or `last_affected`) event per range is supported. If you need to express multiple disjoint version ranges for the same package, use separate `affected` entries or separate ranges.
+> - `SEMVER` ranges support multiple `introduced`/`fixed` pairs within a single range (e.g., `[1.0.0, 1.0.2)` and `[3.0.0, 3.2.5)` in one events array).
+> - `fixed` and `last_affected` **cannot appear together** in the same range. Use one or the other, with preference for `fixed`.
+
+### Required fields
+
+The OSV specification treats several fields as optional, but {% data variables.product.prodname_dotcom %} requires them. Requests missing these fields are **rejected with a 422 error**.
+
+| Field | OSV spec | {% data variables.product.prodname_dotcom %} requirement |
+|---|---|---|
+| `id` | Required | Required. Used as the external identifier for the vulnerability. |
+| `severity` array | Optional | **Required.** Must contain at least one `CVSS_V3` or `CVSS_V4` entry with a non-empty `score` string (e.g., `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`). Requests without a valid CVSS entry are rejected. |
+| `affected[].package.ecosystem` | Required | Must be a [supported ecosystem](#ecosystem-mapping) |
+| `affected[].ranges` or `affected[].versions` | At least one required | At least one range or version must be present for alert matching |
+
+### Optional fields with automatic derivation
+
+| Field | Behavior |
+|---|---|
+| `database_specific.severity` | If provided, used as the qualitative severity label (`critical`, `high`, `moderate`, or `low`). If absent, the severity is **automatically derived** from the CVSS vector score. |
+| `summary` | If absent, falls back to the `id` field. |
+| `details` | If absent, falls back to `summary` or `id`. |
+
+### Supported severity types
+
+| Severity type | Support |
+|---|---|
+| `CVSS_V3` | **Supported.** Must be a valid CVSS 3.1 vector string. |
+| `CVSS_V4` | **Supported.** Must be a valid CVSS 4.0 vector string. |
+| Other types | **Not supported.** Will cause a parsing error. |
+
+### Supported reference types
+
+| Reference type | Support |
+|---|---|
+| `ADVISORY` | Supported |
+| `WEB` | Supported |
+| `FIX` | Supported |
+| `ARTICLE` | Supported |
+| `REPORT` | Supported |
+| `PACKAGE` | Supported (mapped to source code location) |
+| `EVIDENCE` | Supported (ignored during processing) |
+| `DETECTION` | **Not supported.** Stripped during processing. |
+
+### Alias support
+
+| Alias format | Support |
+|---|---|
+| `CVE-YYYY-NNNNN` | **Supported.** Extracted as the CVE identifier. Only the first CVE alias is used. |
+| Other formats (GHSA, PYSEC, etc.) | **Not supported.** Stripped during processing. |
+
+> [!NOTE]
+> If the vulnerability `id` field starts with `GHSA-`, it is recognized as a GHSA identifier. However, GHSA entries in the `aliases` array are stripped and not preserved.
+
+### Field size constraints
+
+The OSV specification does not define maximum string lengths for any field — all strings are unbounded. However, {% data variables.product.prodname_dotcom %} enforces field size limits based on its internal database schema. These limits cannot be relaxed without breaking synchronization with {% data variables.product.prodname_ghe_server %}, which maintains its own compatible schema.
+
+Submissions exceeding these limits are rejected with a descriptive 422 error indicating which field exceeded the limit and the actual length provided (e.g., `affected[0].first_patched_version is 63 characters (max 50)`).
+
+| OSV field | Maps to | OSV standard limit | {% data variables.product.prodname_dotcom %} limit | Unit |
+|---|---|---|---|---|
+| `summary` | `vulnerabilities.summary` | No limit (recommended ≤120 chars) | **1,024** | bytes |
+| `id` | `vulnerabilities.external_id` | No limit | **2,048** | characters |
+| `aliases[]` (CVE entry) | `vulnerabilities.cve_id` | No limit | **20** | characters |
+| `severity[].score` (CVSS v3) | `vulnerabilities.cvss_v3` | No limit | **255** | bytes |
+| `severity[].score` (CVSS v4) | `vulnerabilities.cvss_v4` | No limit | **255** | characters |
+| `affected[].package.ecosystem` | `vulnerable_version_ranges.ecosystem` | No limit | **20** | characters |
+| `affected[].package.name` | `vulnerable_version_ranges.affects` | No limit | **255** | characters |
+| `affected[].ranges[].events[].fixed` | `vulnerable_version_ranges.fixed_in` | No limit | **50** | characters |
+| Computed vulnerable version range | `vulnerable_version_ranges.requirements` | No limit | **65,535** | bytes |
+
+> [!NOTE]
+> - The `fixed_in` (first patched version) limit of 50 characters is the most commonly encountered constraint. Some ecosystems use long pre-release version strings (e.g., `1.0.0-alpha.gamma.delta.epsilon.zeta.eta.theta`) that exceed this limit.
+> - `varchar` columns are validated by character count; `varbinary` and `text` columns are validated by byte size (relevant for multi-byte UTF-8 characters).
+> - These limits are constrained by {% data variables.product.prodname_ghe_server %} schema compatibility. Widening columns on {% data variables.product.prodname_dotcom %} without matching GHES changes would cause advisory sync failures between environments.
+
+### Ecosystem mapping
+
+{% data variables.product.prodname_dotcom %} maps OSV ecosystem names to its internal ecosystem identifiers. The following ecosystems are supported:
+
+| OSV ecosystem | {% data variables.product.prodname_dotcom %} ecosystem |
+|---|---|
+| `npm` | npm |
+| `PyPI` | pip |
+| `RubyGems` | RubyGems |
+| `Maven` | Maven |
+| `NuGet` | NuGet |
+| `Packagist` | Composer |
+| `Go` | Go |
+| `crates.io` | Rust |
+| `Hex` | Erlang |
+| `Pub` | Pub |
+| `SwiftURL` | Swift |
+| `GitHub Actions` | GitHub Actions |
+
+### Example: minimal OSV payload for alert generation
+
+The following is a minimal OSV payload that contains all required fields for {% data variables.product.prodname_dotcom %} to create a {% data variables.product.prodname_dependabot %} alert:
+
+```json
+{
+ "schema_version": "1.4.0",
+ "id": "EXAMPLE-2024-001",
+ "modified": "2024-01-15T10:00:00Z",
+ "summary": "Example vulnerability in example-package",
+ "details": "A detailed description of the vulnerability.",
+ "aliases": ["CVE-2024-12345"],
+ "severity": [
+ {
+ "type": "CVSS_V3",
+ "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
+ }
+ ],
+ "affected": [
+ {
+ "package": {
+ "ecosystem": "npm",
+ "name": "example-package"
+ },
+ "ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ { "introduced": "0" },
+ { "fixed": "1.2.3" }
+ ]
+ }
+ ]
+ }
+ ],
+ "database_specific": {
+ "severity": "Critical"
+ },
+ "references": [
+ { "type": "ADVISORY", "url": "https://example.com/advisory" }
+ ],
+ "published": "2024-01-15T10:00:00Z"
+}
+```
+
+### Known limitations
+
+* **Maximum 100 vulnerabilities per request.** The sync API accepts at most 100 vulnerabilities in a single request.
+* **No `GIT` range type.** Git commit-based version ranges are not supported.
+* **Single event types per ECOSYSTEM range.** Each `ECOSYSTEM` range supports one `introduced` and one upper-bound event (`fixed` or `last_affected`). Multiple `introduced`/`fixed` pairs in a single `ECOSYSTEM` range are not supported — use separate ranges or separate `affected` entries instead. (This limitation does not apply to `SEMVER` ranges, which support multiple event pairs.)
+* **`fixed` and `last_affected` are mutually exclusive.** A single range cannot contain both `fixed` and `last_affected` events. Use one or the other.
+* **GHES sync compatibility.** Field size limits (such as `fixed_in` at 50 characters) are constrained by {% data variables.product.prodname_ghe_server %} schema compatibility requirements.
+
diff --git a/data/reusables/repositories/a-vulnerability-is.md b/data/reusables/repositories/a-vulnerability-is.md
deleted file mode 100644
index 2433f7cd6552..000000000000
--- a/data/reusables/repositories/a-vulnerability-is.md
+++ /dev/null
@@ -1 +0,0 @@
-A vulnerability is a problem in a project's code that could be exploited to damage the confidentiality, integrity, or availability of the project or other projects that use its code. Vulnerabilities vary in type, severity, and method of attack.
From 2d42689c0f4b229e9ba1ecc9b933532c834b857c Mon Sep 17 00:00:00 2001
From: Evan Bonsignori
Date: Wed, 8 Jul 2026 11:54:34 -0700
Subject: [PATCH 4/7] Migrate Label to @primer/react-brand (#62081)
---
src/graphql/components/GraphqlItem.tsx | 6 +++---
src/landings/components/CookBookArticleCard.module.scss | 1 +
src/landings/components/CookBookArticleCard.tsx | 9 +++++----
3 files changed, 9 insertions(+), 7 deletions(-)
diff --git a/src/graphql/components/GraphqlItem.tsx b/src/graphql/components/GraphqlItem.tsx
index 42c0f5361e5c..c15af9d85014 100644
--- a/src/graphql/components/GraphqlItem.tsx
+++ b/src/graphql/components/GraphqlItem.tsx
@@ -1,5 +1,5 @@
import React, { type JSX } from 'react'
-import { Label } from '@primer/react'
+import { Label } from '@primer/react-brand'
import { HeadingLink } from '@/frame/components/article/HeadingLink'
import type { GraphqlT } from './types'
import { Notice } from './Notice'
@@ -41,9 +41,9 @@ export function GraphqlItem({ item, heading, children, headingLevel = 2, kind }:
{item.name}
-