About enabling delegated alert dismissal
Delegated alert dismissal lets you restrict which users can directly dismiss an alert. When the feature is enabled:
- Users with write access to a repository must request to dismiss alerts in that repository.
- Organization owners and security managers can approve or deny dismissal requests, as well as dismiss alerts directly themselves.
You can also use custom roles with the following permissions to let other team members manage requests and dismiss alerts directly:
- For code scanning: "Review code scanning alert dismissal requests" and "Bypass code scanning alert dismissal requests"
- For secret scanning: "Review and manage secret scanning alert dismissal requests"
- For Dependabot: "Review Dependabot alert dismissal requests" and "Bypass Dependabot alert dismissal requests"
Reviewers are notified of dismissal requests via email, and can either approve the request to dismiss the alert, or deny the request to leave the alert open. After a request is reviewed, the requester is notified of the outcome via email.
Hinweis
The implementation of this approval process can potentially cause some friction, so it's important to ensure that the team of security managers has adequate coverage to review dismissal requests regularly before proceeding.
Configuring delegated dismissal for a repository
Hinweis
If an organization owner configures delegated alert dismissal via an enforced security configuration, the settings can't be changed at the repository level.
-
On GitHub, navigate to the main page of the repository.
-
Under your repository name, click Settings. If you cannot see the "Settings" tab, select the dropdown menu, then click Settings.
-
In the "Security" section of the sidebar, click Advanced Security.
-
Under "Secret Protection", to the right of "Prevent direct alert dismissals", click Enable.
Configuring delegated dismissal for an organization
You must configure delegated dismissal for your organization using a custom security configuration. You can then apply the security configuration to all (or selected) repositories in your organization.
- Create a new custom security configuration, or edit an existing one. See Creating a custom security configuration.
- When defining the custom security configuration, under "Secret scanning", ensure that the dropdown menu for "Prevent direct alert dismissals" is set to Enabled.
- Click Save configuration.
- Apply the security configuration to all (or selected) repositories in your organization. See Applying a custom security configuration.
To learn more about security configurations, see About enabling security features at scale.
Hinweis
You can use GitHub Apps with fine-grained permissions to programmatically review and approve delegated dismissal requests. This enables your organization to streamline security request reviews and enforce policies, or integrate with external security tools, ensuring that all reviews meet established standards. For GitHub Enterprise Server, the use of GitHub Apps to review requests for delegated dismissals is available from version 3.19. For more information about permissions, see Organization permissions for "Organization bypass requests for secret scanning".
Next steps
Now that you have enabled delegated alert dismissal for secret scanning, you should regularly review alert dismissal requests to maintain an accurate alert count and unblock your developers. See Reviewing alert dismissal requests.