Applying the GitHub-recommended security configuration to your enterprise

Secure your code with the security enablement settings created, managed, and recommended by GitHub.

Who can use this feature?

Enterprise owners and members with the admin role

In this article

The GitHub-recommended security configuration is a set of industry best practices and features that provide a robust, baseline security posture for enterprises. This configuration is created and maintained by subject matter experts at GitHub, with the help of multiple industry leaders and experts. The GitHub-recommended security configuration is designed to successfully reduce the security risks for low- and high-impact repositories. We recommend you apply this configuration to all the repositories in your enterprise.

The GitHub-recommended security configuration includes GitHub Code Security and GitHub Secret Protection features. Applying the configuration to private and internal repositories will incur usage costs or require GHAS licenses. For more information, see About GitHub Advanced Security.

Warning

GitHub may add new features to the GitHub-recommended security configuration without warning. If you have concerns and prefer to test out features before they are turned on, we suggest you do not use the GitHub-recommended security configuration.

  1. Navigate to your enterprise. For example, from the Enterprises page on GitHub.com.
  2. At the top of the page, click Settings.
  3. In the left sidebar, click Advanced Security.
  4. In the "GitHub recommended" row of the configurations table for your enterprise, select the Apply to dropdown menu, then click All repositories or All repositories without configurations.

  1. Optionally, in the confirmation dialog, you can choose to automatically apply the security configuration to newly created repositories depending on their visibility. Select the None dropdown menu, then click Public, or Private and internal, or both.

  2. Review the detailed information about how your changes will affect GitHub Secret Protection, GitHub Code Security, or GitHub Advanced Security license consumption. To apply the security configuration, click Apply.

The security configuration is applied to both active and archived repositories because some security features run on archived repositories, for example, secret scanning. In addition, if a repository is later unarchived you can be confident that it is protected by the chosen security configuration.

If security configurations fail to apply to some organizations in your enterprise, GitHub will display a banner on the UI to let you know. You can click the links on the banner to get more information about the organizations and repositories involved.

  1. Navigate to your enterprise. For example, from the Enterprises page on GitHub.com.

  2. At the top of the page, click Settings.

  3. In the left sidebar, click Advanced Security.

  4. In the "Configurations" section, select "GitHub recommended".

  5. In the "Policy" section, next to "Enforce configuration", select Enforce from the dropdown menu.

    Note

    Some situations can break the enforcement of security configurations. See Security configuration enforcement.

  6. Click Save configuration to save your change to the GitHub-recommended security configuration.