akinjanata
diff --git a/‎content/code-security/code-scanning/managing-code-scanning-alerts/responsible-use-autofix-code-scanning.md
+1-1 b/‎content/code-security/code-scanning/managing-code-scanning-alerts/responsible-use-autofix-code-scanning.md
+1-1
diff --git a/‎content/code-security/getting-started/index.md
+1 b/‎content/code-security/getting-started/index.md
+1
diff --git a/‎content/code-security/getting-started/understanding-github-secret-types.md
+188 b/‎content/code-security/getting-started/understanding-github-secret-types.md
+188
diff --git a/‎content/code-security/secret-scanning/copilot-secret-scanning/index.md
+1-1 b/‎content/code-security/secret-scanning/copilot-secret-scanning/index.md
+1-1
diff --git a/‎content/code-security/secret-scanning/copilot-secret-scanning/responsible-ai-generic-secrets.md
+2-2 b/‎content/code-security/secret-scanning/copilot-secret-scanning/responsible-ai-generic-secrets.md
+2-2
diff --git a/‎content/code-security/secret-scanning/copilot-secret-scanning/responsible-ai-regex-generator.md
+4-2 b/‎content/code-security/secret-scanning/copilot-secret-scanning/responsible-ai-regex-generator.md
+4-2
diff --git a/‎content/copilot/using-github-copilot/ai-models/using-claude-sonnet-in-github-copilot.md
+2 b/‎content/copilot/using-github-copilot/ai-models/using-claude-sonnet-in-github-copilot.md
+2
@@ -26,7 +26,7 @@ redirect_from:
 
 {% data variables.product.prodname_copilot_autofix_short %} is allowed by default and enabled for every repository using {% data variables.product.prodname_codeql %}, but you can choose to opt out and disable {% data variables.product.prodname_copilot_autofix_short %}. To learn how to disable {% data variables.product.prodname_copilot_autofix_short %} at the enterprise, organization and repository levels, see [AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/disabling-autofix-for-code-scanning).
 
-In an organization's security overview dashboard, you can view the total number of code suggestions generated on open and closed pull requests in the organization for a given time period. For more information, see [AUTOTITLE](/enterprise-cloud@latest/code-security/security-overview/viewing-security-insights#autofix-suggestions) in the {% data variables.product.prodname_ghe_cloud %} documentation.
+In an organization's security overview dashboard, you can view the total number of code suggestions generated on open and closed pull requests in the organization for a given time period. For more information, see {% ifversion ghas-products-cloud %}[AUTOTITLE](/code-security/security-overview/viewing-security-insights#autofix-suggestions){% elsif fpt %}[AUTOTITLE](/enterprise-cloud@latest/code-security/security-overview/viewing-security-insights#autofix-suggestions) in the {% data variables.product.prodname_ghe_cloud %} documentation{% endif %}.
 
 ## Developer experience
 
 
@@ -19,4 +19,5 @@ children:
   - /adding-a-security-policy-to-your-repository
   - /auditing-security-alerts
   - /best-practices-for-preventing-data-leaks-in-your-organization
+  - /understanding-github-secret-types
 ---
@@ -0,0 +1,188 @@
+---
+title: Understanding GitHub secret types
+intro: 'Learn about the usage, scope, and access permissions for {% data variables.product.github %} secrets.'
+versions:
+  fpt: '*'
+  ghes: '*'
+  ghec: '*'
+type: overview
+topics:
+  - Repositories
+  - Dependencies
+  - Vulnerabilities
+  - Advanced Security
+shortTitle: GitHub secret types
+---
+
+## About {% data variables.product.github %}'s secret types
+
+{% data variables.product.github %} secrets are used to securely store sensitive information like API keys, tokens, and passwords in repositories.
+
+When you store the sensitive information as a {% data variables.product.github %} secret, you remove the need to hardcode the credential or key, and prevent exposure of it in your code or logs. The secret can then be used to authenticate services, manage credentials, and securely pass sensitive data in workflows.
+
+There are {% ifversion fpt or ghec %}three {% else %}two {% endif %}types of secrets used by {% data variables.product.github %}:
+
+* [{% data variables.product.prodname_dependabot %} secrets](#dependabot-secrets)
+* [Actions secrets](#actions-secrets){% ifversion fpt or ghec %}
+* [{% data variables.product.prodname_codespaces %} secrets](#codespaces-secrets){% endif %}
+
+Depending on the {% data variables.product.github %} secret type, you can create and manage secrets under your repository, organization, or personal account security settings page.
+
+{% ifversion fpt or ghec %}
+
+### Understanding how {% data variables.product.github %} stores secrets
+
+{% data variables.product.github %} uses [Libsodium sealed boxes](https://libsodium.gitbook.io/doc/public-key_cryptography/sealed_boxes) to encrypt secrets. A secret is encrypted before reaching {% data variables.product.github %} and remains encrypted until it's used by the relevant service ({% data variables.product.prodname_dependabot %}, {% data variables.product.prodname_actions %}, or {% data variables.product.prodname_codespaces %}).
+
+{% endif %}
+
+## {% data variables.product.prodname_dependabot %} secrets
+
+{% data variables.product.prodname_dependabot %} secrets are used to store credentials and sensitive information for use within {% data variables.product.prodname_dependabot %}.
+
+{% data variables.product.prodname_dependabot %} secrets are referenced in a repository's `dependabot.yml` file.
+
+### Usage
+
+{% data variables.product.prodname_dependabot %} secrets are typically used by {% data variables.product.prodname_dependabot %} to authenticate to private package registries. This allows {% data variables.product.prodname_dependabot %} to open pull requests to update vulnerable or outdated dependencies in private repositories. Used for authentication, these {% data variables.product.prodname_dependabot %} secrets are referenced in a repository's `dependabot.yml` file.
+
+{% data variables.product.prodname_dependabot %} secrets can also include secrets required for workflows initiated by {% data variables.product.prodname_dependabot %}. For example, {% data variables.product.prodname_dependabot %} can trigger {% data variables.product.prodname_actions %} workflows when it creates pull requests to update dependencies, or comments on pull requests. In this case, {% data variables.product.prodname_dependabot %} secrets can be referenced from workflow files (`.github/workflows/*.yml`) as long as the workflow is triggered by a {% data variables.product.prodname_dependabot %} event.
+
+### Scope
+
+You can define {% data variables.product.prodname_dependabot %} secrets at:
+
+* Repository level
+* Organization level
+
+{% data variables.product.prodname_dependabot %} secrets can be shared across repositories when set at the organization-level. You must specify which repositories in the organization can access the secret.
+
+### Access permissions
+
+{% data variables.product.prodname_dependabot %} secrets are accessed by {% data variables.product.prodname_dependabot %} when authenticating to private registries to update dependencies.
+
+{% data variables.product.prodname_dependabot %} secrets are accessed by {% data variables.product.prodname_actions %} workflows when the trigger event for the workflow is initiated by {% data variables.product.prodname_dependabot %}. This is because when a workflow is initiated by {% data variables.product.prodname_dependabot %}, only {% data variables.product.prodname_dependabot %} secrets are available - Actions secrets are not accessible. Therefore, any secrets required for these workflows must be stored as {% data variables.product.prodname_dependabot %} secrets, rather than Actions secrets. There are additional security restrictions for the `pull_request_target` event. See [Limitations and restrictions](#limitations-and-restrictions).
+
+#### User access permissions
+
+Repository-level secrets:
+* Users with **admin access** to the repository can create and manage {% data variables.product.prodname_dependabot %} secrets.
+* Users with **collaborator access** to the repository can use the secret for {% data variables.product.prodname_dependabot %}.
+
+Organization-level secrets:
+* **Organization owners** can create and manage {% data variables.product.prodname_dependabot %} secrets.
+* Users with **collaborator access** to the repositories with access to each secret can use the secret for {% data variables.product.prodname_dependabot %}.
+
+### Limitations and restrictions
+
+For workflows initiated by {% data variables.product.prodname_dependabot %}, the `pull_request_target` event is treated differently to other events. For this event, if the base ref of the pull request was created by {% data variables.product.prodname_dependabot %} (`github.event.pull_request.user.login == 'dependabot[bot]'`):
+
+   * The workflow receives a read-only `GITHUB_TOKEN`.
+   * Secrets are **not** available to the workflow.
+
+This extra restriction helps prevent potential security risks that could arise from pull requests created by {% data variables.product.prodname_dependabot %}.
+
+{% data variables.product.prodname_dependabot %} secrets are not passed to forks.
+
+## Actions secrets
+
+Actions secrets are used to store sensitive information such as API keys, authentication tokens, and other credentials in workflows.
+
+### Usage
+
+Actions secrets are referenced in workflow files (`.github/workflows/*.yml`).
+
+### Scope
+
+You can define Actions secrets at:
+
+* Repository level
+* Environment level
+* Organization level
+
+Environment-level secrets are specific to a particular environment, such as production or staging.
+Actions secrets can be shared across repositories if set at the organization-level. You can use access policies to control which repositories have access to the secret.
+
+### Access permissions
+
+Actions secrets are only available within {% data variables.product.prodname_actions %} workflows. Despite running on Actions, {% data variables.product.prodname_dependabot %} does not have access to Actions secrets.
+
+For workflows initiated by {% data variables.product.prodname_dependabot %}, Actions secrets are not available. These workflow secrets must be stored as {% data variables.product.prodname_dependabot %} secrets in order to be accessible to the workflow.
+
+The location where you store the Actions secret determines its accessibility:
+
+* Repository secret: all workflows in the repository can access the secret.
+* Environment secret: secret is limited to jobs referencing that particular environment.
+* Organization secret: all workflows in the repositories that have been granted access by the organization can access the organization secrets.
+
+#### User access permissions
+
+Repository-level and environment secrets:
+* Users with **admin access** to the repository can create and manage Actions secrets.
+* Users with **collaborator access** to the repository can use the secret.
+
+Organization-level secrets:
+* **Organization owners** can create and manage Actions secrets.
+* Users with **collaborator access** to the repositories with access to each secret can use the secret.
+
+### Limitations and restrictions
+
+* Actions secrets are not available to workflows initiated by {% data variables.product.prodname_dependabot %}.
+* Actions secrets are not passed to workflows that are triggered by a pull request from a fork.
+* {% data variables.product.prodname_actions %} automatically redacts the contents of all {% data variables.product.github %} secrets that are printed to workflow logs.
+* You can store up to 1,000 organization secrets, 100 repository secrets, and 100 environment secrets. Secrets are limited to 48 KB in size. For more information, see [Limits for secrets](/actions/security-for-github-actions/security-guides/using-secrets-in-github-actions#limits-for-secrets).
+
+{% ifversion fpt or ghec %}
+
+## {% data variables.product.prodname_codespaces %} secrets
+
+{% data variables.product.prodname_codespaces %} secrets store credentials and sensitive information, such as API tokens and SSH keys, for use within {% data variables.product.prodname_github_codespaces %}, allowing you to configure secure development environments.
+
+### Usage
+
+{% data variables.product.prodname_codespaces %} secrets are referenced within the {% data variables.product.prodname_codespaces %} development container configuration (`devcontainer.json`).
+
+### Scope
+
+You can define {% data variables.product.prodname_codespaces %} secrets at:
+
+* User account level
+* Repository level
+* Organization level
+
+For user account level secrets, you can choose which repositories have access to the secret.
+{% data variables.product.prodname_codespaces %} secrets can be shared across repositories if set at the organization-level. You can use access policies to control which repositories have access to the secret.
+
+### Access permissions
+
+{% data variables.product.prodname_codespaces %} secrets are only accessible in {% data variables.product.prodname_codespaces %}.
+
+{% data variables.product.prodname_actions %} cannot access {% data variables.product.prodname_codespaces %} secrets.
+
+#### User access permissions
+
+User account-level secrets:
+* {% data variables.product.prodname_codespaces %} secrets are available to any codespace you create using repositories with access to that secret.
+
+Repository-level secrets:
+* Users with **admin access** to the repository can create and manage {% data variables.product.prodname_codespaces %} secrets.
+* Users with **collaborator access** to the repository can use the secret.
+
+Organization-level secrets:
+* **Organization owners** can create and manage {% data variables.product.prodname_codespaces %} secrets.
+* Users with **collaborator access** to the repositories with access to each secret can use the secret.
+
+### Limitations and restrictions
+
+* You can store up to 100 secrets for {% data variables.product.prodname_github_codespaces %}.
+* Secrets are limited to 48 KB in size.
+* {% data variables.product.prodname_codespaces %} secrets are not passed to forks.
+
+{% endif %}
+
+## Further reading
+
+* [AUTOTITLE](/code-security/dependabot/working-with-dependabot/configuring-access-to-private-registries-for-dependabot#storing-credentials-for-dependabot-to-use)
+* [AUTOTITLE](/actions/security-for-github-actions/security-guides/using-secrets-in-github-actions){% ifversion fpt or ghec %}
+* [AUTOTITLE](/codespaces/managing-codespaces-for-your-organization/managing-development-environment-secrets-for-your-repository-or-organization)
+* [AUTOTITLE](/codespaces/managing-your-codespaces/managing-your-account-specific-secrets-for-github-codespaces){% endif %}
@@ -3,7 +3,7 @@ title: Enhance your secret detection capabilities with Copilot secret scanning
 shortTitle: Copilot secret scanning
 allowTitleToDifferFromFilename: true
 intro: 'Learn how {% data variables.product.prodname_secret_scanning %} uses AI to detect generic secrets in your code, and generate regular expressions for your custom patterns.'
-product: '{% data reusables.gated-features.copilot-secret-scanning %}'
+product: '{% data reusables.rai.secret-scanning.copilot-secret-scanning-gated-feature %}'
 versions:
   ghec: '*'
 topics:
 
@@ -3,7 +3,7 @@ title: Responsible detection of generic secrets with Copilot secret scanning
 shortTitle: Generic secret detection
 intro: 'Learn how {% data variables.secret-scanning.copilot-secret-scanning %} uses AI responsibly to scan and create alerts for unstructured secrets, such as passwords.'
 allowTitleToDifferFromFilename: true
-product: '{% data reusables.gated-features.copilot-secret-scanning %}'
+product: '{% data reusables.rai.secret-scanning.copilot-secret-scanning-gated-feature %}'
 versions:
   feature: secret-scanning-ai-generic-secret-detection
   fpt: '*'
@@ -27,7 +27,7 @@ redirect_from:
 
 {% data reusables.rai.secret-scanning.copilot-secret-scanning-generic-secrets-subscription-note %}
 
-{% data variables.product.prodname_GH_advanced_security %} users can already receive {% data variables.secret-scanning.alerts %} for partner or custom patterns found in their source code, but unstructured secrets are not easily discoverable. {% data variables.secret-scanning.copilot-secret-scanning %} uses large language models (LLMs) to identify this type of secret.
+{% data variables.product.prodname_GH_secret_protection %} users can already receive {% data variables.secret-scanning.alerts %} for partner or custom patterns found in their source code, but unstructured secrets are not easily discoverable. {% data variables.secret-scanning.copilot-secret-scanning %} uses large language models (LLMs) to identify this type of secret.
 
 When a password is detected, an alert is displayed in the "Experimental" list of {% data variables.product.prodname_secret_scanning %} alerts (under the **Security** tab of the repository, organization, or enterprise), so that maintainers and security managers can review the alert and, where necessary, remove the credential or implement a fix.
 
 
@@ -2,7 +2,7 @@
 title: Responsible generation of regular expressions with Copilot secret scanning
 shortTitle: Generate regular expressions with AI
 intro: 'Learn about the capabilities and limitations of the {% data variables.secret-scanning.custom-pattern-regular-expression-generator %} in helping you to define custom patterns to extend the capabilities of {% data variables.product.prodname_secret_scanning %}.'
-product: '{% data reusables.gated-features.copilot-secret-scanning %}'
+product: '{% data reusables.rai.secret-scanning.copilot-secret-scanning-gated-feature %}'
 allowTitleToDifferFromFilename: true
 versions:
   feature: secret-scanning-custom-pattern-ai-generated
@@ -71,7 +71,9 @@ Note that {% data variables.secret-scanning.copilot-secret-scanning %}'s {% data
 
 ## Further reading
 
-{% ifversion fpt %}
+{% ifversion ghas-products-cloud %}
+<!-- Nothing to show because the bullets controlled by the feature version below will be visible to fpt -->
+{% elsif fpt %}
 * [AUTOTITLE](/code-security/secret-scanning/introduction/about-secret-scanning)
 * [AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning)
 {% endif %}
 
@@ -31,6 +31,8 @@ redirect_from:
 
 {% data variables.product.prodname_copilot %} uses {% data variables.copilot.copilot_claude_sonnet %} hosted on Amazon Web Services. When using {% data variables.copilot.copilot_claude_sonnet %}, prompts and metadata are sent to Amazon's Bedrock service, which makes the [following data commitments](https://docs.aws.amazon.com/bedrock/latest/userguide/data-protection.html): _Amazon Bedrock doesn't store or log your prompts and completions. Amazon Bedrock doesn't use your prompts and completions to train any AWS models and doesn't distribute them to third parties_.
 
+Beginning March 11th, 2025, {% data variables.copilot.copilot_claude_sonnet %} will additionally be hosted by Anthropic PBC and Google Cloud Platform when used in {% data variables.product.prodname_copilot %} to provide additional model capacity and reliability.
+
 When using {% data variables.copilot.copilot_claude_sonnet %}, input prompts and output completions continue to run through {% data variables.product.prodname_copilot %}'s content filters for public code matching, when applied, along with those for harmful, offensive, or off-topic content.
 
 ## Configuring access