Enforcing policies for code security and analysis for your enterprise

You can enforce policies to manage the use of code security and analysis features within your enterprise's organizations.

Who can use this feature?

Enterprise owners

GitHub Code Security and GitHub Secret Protection are available for accounts on GitHub Team and GitHub Enterprise Cloud.

Some features are also available for free for public repositories on GitHub.com. For more information, see GitHub’s plans.

For information about GitHub Advanced Security for Azure DevOps, see Configure GitHub Advanced Security for Azure DevOps in Microsoft Learn.

In this article

About policies for using security features in your enterprise

You can enforce policies to manage the use of security features within organizations owned by your enterprise. You can allow or disallow people with admin access to a repository to enable or disable the security and analysis features.

Additionally, you can enforce policies for the use of GitHub Advanced Security products in your enterprise's organizations and repositories.

Enforcing a policy for the availability of Advanced Security in your enterprise's organizations

GitHub bills for Advanced Security products on a per-committer basis. See About billing for GitHub Advanced Security.

You can enforce a policy that controls whether repository administrators are allowed to enable features for Advanced Security in an organization's repositories. You can configure a policy for all organizations owned by your enterprise account, or for individual organizations that you choose.

Disallowing GitHub Secret Protection or GitHub Code Security for an organization prevents repository administrators from enabling GitHub Secret Protection or GitHub Code Security features for additional repositories, but does not disable the features for repositories where the features are already enabled.

Note

This policy only impacts repository administrators, specifically. Organization owners and security managers can always enable security features, regardless of how you set this policy. For more information, see Roles in an organization.

  1. In the top-right corner of GitHub, click your profile photo.

  2. Depending on your environment, click Your enterprise, or click Your enterprises then click the enterprise you want to view.

  3. At the top of the page, click Policies.

  4. Under "Policies", click Advanced Security.

  5. Under "Advanced Security availability", select the dropdown menu, then click a policy for the organizations owned by your enterprise.

  6. Optionally, if you chose Allow for selected organizations, to the right of an organization, select the dropdown menu to define which Advanced Security products are available to the organization.

    Screenshot of the dropdown menu to choose a Advanced Security policy for selected organizations in the enterprise. The dropdown is outlined.

Enforcing a policy for visibility of dependency insights

Dependency insights show all open source projects that repositories within your enterprise's organizations depend on. Dependency insights include aggregated information about security advisories and licenses. For more information, see Viewing insights for dependencies in your organization.

Across all organizations owned by your enterprise, you can control whether organization members can view dependency insights. You can also allow owners to administer the setting on the organization level. For more information, see Changing the visibility of your organization's dependency insights.

  1. In the top-right corner of GitHub, click your profile photo.

  2. Depending on your environment, click Your enterprise, or click Your enterprises then click the enterprise you want to view.

  3. At the top of the page, click Policies.

  4. Under "Policies", click Advanced Security.

  5. In the "Policies" section, under "Dependency insights", review the information about changing the setting.

  6. Optionally, to view the current configuration for all organizations in the enterprise account before you change the setting, click View your organizations' current configurations.

    Screenshot of a policy in the enterprise settings. A link, labeled "View your organizations' current configurations", is outlined.

  7. Under "Dependency insights", select the dropdown menu and click a policy.

Enforcing a policy to manage the use of Dependabot alerts in your enterprise

Across all organizations owned by your enterprise, you can allow members with admin permissions for repositories to enable or disable Dependabot alerts and change Dependabot alerts settings.

Note

This policy only impacts repository administrators, specifically. Organization owners and security managers can always enable security features, regardless of how you set this policy. For more information, see Roles in an organization.

  1. In the top-right corner of GitHub, click your profile photo.
  2. Depending on your environment, click Your enterprise, or click Your enterprises then click the enterprise you want to view.
  3. At the top of the page, click Policies.
  4. Under "Policies", click Advanced Security.
  5. In the "Policies" section, under "Enable or disable Dependabot alerts by repository admins", use the dropdown menu to choose a policy.

Enforcing a policy to manage the use of Advanced Security features in your enterprise's repositories

Across all of your enterprise's organizations, you can allow or disallow people with admin access to repositories to manage the use of Advanced Security features in the repositories.

  1. In the top-right corner of GitHub, click your profile photo.

  2. Depending on your environment, click Your enterprise, or click Your enterprises then click the enterprise you want to view.

  3. At the top of the page, click Policies.

  4. Under "Policies", click Advanced Security.

  5. In the "Policies" section, under "Repository administrators can enable or disable PRODUCT", use the dropdown menu to define whether repository administrators can change the enablement of Secret Protection and Code Security.

Enforcing a policy to manage the use of AI detection for secret scanning in your enterprise's repositories

Across all of your enterprise's organizations, you can allow or disallow people with admin access to repositories to manage and configure AI detection in secret scanning for the repositories. This policy only takes effect if repository administrators are also allowed to change enablement of Secret Protection (controlled by the "Repository administrators can enable or disable Secret Protection" policy).

  1. In the top-right corner of GitHub, click your profile photo.
  2. Depending on your environment, click Your enterprise, or click Your enterprises then click the enterprise you want to view.
  3. At the top of the page, click Policies.
  4. Under "Policies", click Advanced Security.
  5. In the "Policies" section, under "AI detection in secret scanning", select the dropdown menu and click a policy.

Enforcing a policy to manage the use of Copilot Autofix in your enterprise's repositories

Across all of your enterprise's organizations, you can allow or disallow people with admin access to repositories to manage where Copilot Autofix is enabled. GitHub Code Security must be enabled for the organization for this policy to take effect.

  1. In the top-right corner of GitHub, click your profile photo.
  2. Depending on your environment, click Your enterprise, or click Your enterprises then click the enterprise you want to view.
  3. At the top of the page, click Policies.
  4. Under "Policies", click Advanced Security.
  5. In the "Policies" section, under "Copilot Autofix", select the dropdown menu and click a policy.