Creating a custom security configuration

If you are familiar with GitHub's security products, and you have specific security needs that the GitHub-recommended security configuration can't meet, you can create and apply custom security configurations. For more information, see Security configurations.

Creating a Secret Protection and Code Security configuration

1. In the upper-right corner of GitHub, click your profile picture, then click Organizations.

2. Under your organization name, click Settings. If you cannot see the "Settings" tab, select the dropdown menu, then click Settings.

   

3. In the "Security" section of the sidebar, select the Advanced Security dropdown menu, then click Configurations.

4. In the "Security configurations" section, click New configuration.

5. To help identify your custom security configuration and clarify its purpose on the "Security configurations" page, name your configuration and create a description.

6. Optionally, enable "Secret Protection", a paid feature for private and internal repositories. Enabling Secret Protection enables alerts for secret scanning. In addition, you can choose whether to enable, disable, or keep the existing settings for the following secret scanning features:

   • Validity checks. To learn more about validity checks for partner patterns, see About validity checks and Evaluating alerts from secret scanning.
   • Extended metadata. To learn more about extended metadata checks, see About extended metadata checks and Evaluating alerts from secret scanning.

   Note

   You can only enable extended metadata checks if validity checks are enabled.

   • Non-provider patterns. To learn more about scanning for non-provider patterns, see Supported secret scanning patterns and Viewing and filtering alerts from secret scanning.
   • Scan for generic passwords. To learn more, see Responsible detection of generic secrets with Copilot secret scanning.
   • Push protection. To learn about push protection, see About push protection.
   • Bypass privileges. By assigning bypass privileges, selected organization members can bypass push protection, and there is a review and approval process for all other contributors. See About delegated bypass for push protection.
   • Prevent direct alert dismissals. To learn more, see Enabling delegated alert dismissal for secret scanning.

7. Optionally, enable "Code Security", a paid feature for private and internal repositories. You can choose whether to enable, disable, or keep the existing settings for the following code scanning features:

   • Default setup. To learn more about default setup, see Configuring default setup for code scanning.

     Note

     To create a configuration that you can apply to all repositories regardless of current code scanning setup, choose "Enabled with advanced setup allowed". This setting enables default setup only in repositories where CodeQL analysis is not actively run. Option available from GitHub Enterprise Server 3.19.

   • Runner type. If you want to target specific runners for code scanning, you can choose to use custom-labeled runners at this step. See Configuring default setup for code scanning.
   • Prevent direct alert dismissals. To learn more, see Enabling delegated alert dismissal for code scanning.

8. Still under "Code Security", in the "Dependency scanning" table, choose whether you want to enable, disable, or keep the existing settings for the following dependency scanning features:

   • Dependency graph. To learn about dependency graph, see About the dependency graph.

     Tip

     When both "Code Security" and Dependency graph are enabled, this enables dependency review, see About dependency review.

   • Automatic dependency submission. To learn about automatic dependency submission, see Configuring automatic dependency submission for your repository.
   • Dependabot alerts. To learn about Dependabot, see About Dependabot alerts.
   • Security updates. To learn about security updates, see About Dependabot security updates.
   • Prevent direct alert dismissals. To learn more, see Enabling delegated alert dismissal for Dependabot.

9. For "Private vulnerability reporting", choose whether you want to enable, disable, or keep the existing settings. To learn about private vulnerability reporting, see Configuring private vulnerability reporting for a repository.

10. Optionally, in the "Policy" section, you can use additional options to control how the configuration is applied:

    • Use as default for newly created repositories. Select the None dropdown menu, then click Public, Private and internal, or All repositories.

      Note

      The default security configuration for an organization is only automatically applied to new repositories created in your organization. If a repository is transferred into your organization, you will still need to apply an appropriate security configuration to the repository manually.

    • Enforce configuration. Block repository owners from changing features that are enabled or disabled by the configuration (features that are not set aren't enforced). Select Enforce from the dropdown menu.

    Note

    Some situations can break the enforcement of security configurations. See Security configuration enforcement.

11. To finish creating your custom security configuration, click Save configuration.

Creating a GitHub Advanced Security configuration

1. In the upper-right corner of GitHub, click your profile picture, then click Organizations.

2. Under your organization name, click Settings. If you cannot see the "Settings" tab, select the dropdown menu, then click Settings.

   

3. In the "Security" section of the sidebar, select the Advanced Security dropdown menu, then click Configurations.

4. In the "Security configurations" section, click New configuration.

5. To help identify your custom security configuration and clarify its purpose on the "New configuration" page, name your configuration and create a description.

6. In the "GitHub Advanced Security features" row, choose whether to include or exclude GitHub Advanced Security (GHAS) features.

7. In the "Secret scanning" table, choose whether you want to enable, disable, or keep the existing settings for the following security features:

   • Validity checks. To learn more about validity checks for partner patterns, see Evaluating alerts from secret scanning.
   • Non-provider patterns. To learn more about scanning for non-provider patterns, see Supported secret scanning patterns and Viewing and filtering alerts from secret scanning.
   • Scan for generic passwords. To learn more, see Responsible detection of generic secrets with Copilot secret scanning.
   • Push protection. To learn about push protection, see About push protection.
   • Bypass privileges. By assigning bypass privileges, selected organization members can bypass push protection, and there is a review and approval process for all other contributors. See About delegated bypass for push protection.
   • Prevent direct alert dismissals. To learn more, see Enabling delegated alert dismissal for secret scanning.

8. In the "Code scanning" table, choose whether you want to enable, disable, or keep the existing settings for code scanning default setup.

   • Default setup. To learn more about default setup, see Configuring default setup for code scanning.

     Note

     To create a configuration that you can apply to all repositories regardless of current code scanning setup, choose "Enabled with advanced setup allowed". This setting enables default setup only in repositories where CodeQL analysis is not actively run. Option available from GitHub Enterprise Server 3.19.

   • Runner type. If you want to target specific runners for code scanning, you can choose to use custom-labeled runners at this step. See Configuring default setup for code scanning.
   • Prevent direct alert dismissals. To learn more, see Enabling delegated alert dismissal for code scanning.

9. In the "Dependency scanning" table, choose whether you want to enable, disable, or keep the existing settings for the following dependency scanning features:

   • Dependency graph. To learn about dependency graph, see About the dependency graph.

     Tip

     When both "GitHub Advanced Security" and Dependency graph are enabled, this enables dependency review, see About dependency review.

   • Automatic dependency submission. To learn about automatic dependency submission, see Configuring automatic dependency submission for your repository.
   • Dependabot alerts. To learn about Dependabot, see About Dependabot alerts.
   • Security updates. To learn about security updates, see About Dependabot security updates.
   • Prevent direct alert dismissals. To learn more, see Enabling delegated alert dismissal for Dependabot.

10. For "Private vulnerability reporting", choose whether you want to enable, disable, or keep the existing settings. To learn about private vulnerability reporting, see Configuring private vulnerability reporting for a repository.

11. Optionally, in the "Policy" section, you can use additional options to control how the configuration is applied:

    • Use as default for newly created repositories. Select the None dropdown menu, then click Public, Private and internal, or All repositories.

      Note

      The default security configuration for an organization is only automatically applied to new repositories created in your organization. If a repository is transferred into your organization, you will still need to apply an appropriate security configuration to the repository manually.

    • Enforce configuration. Block repository owners from changing features that are enabled or disabled by the configuration (features that are not set aren't enforced). Select Enforce from the dropdown menu.

12. To finish creating your custom security configuration, click Save configuration.

Next steps

To apply your custom security configuration to repositories in your organization, see Applying a custom security configuration.

To learn how to edit your custom security configuration, see Editing a custom security configuration.