Security overview contains focused views where you can explore trends in detection, remediation, and prevention of security alerts and dig deep into the current state of your codebases.
All organizations on GitHub Enterprise can use:
- Secret risk assessment to evaluate the exposure of their organization to leaked secrets, see Viewing the secret risk assessment report for your organization.
- Dependabot data to evaluate the security of their supply chain in all repositories.
In addition, data for Advanced Security features, such as code scanning and secret scanning, is shown for organizations and enterprises that use GitHub Secret Protection, GitHub Code Security, or GitHub Advanced Security, and for public repositories, see About Dependabot alerts and About GitHub Advanced Security.
About the views
Nota:
All views show information and metrics for the default branches of the repositories you have permission to view in an organization or enterprise.
The views are interactive with filters that allow you to look at the aggregated data in detail and identify sources of high risk, see security trends, and see the impact of pull request analysis on blocking security vulnerabilities entering your code. As you apply multiple filters to focus on narrower areas of interest, all data and metrics across the view change to reflect your current selection. For more information, see Filtering alerts in security overview.
From security overview, you can download comma-separated values (CSV) files containing data from several pages of your organization or enterprise's security overview. These files can be used for efforts like security research and in-depth data analysis, and can integrate easily with external datasets. For more information, see Exporting data from security overview.
There are dedicated views for each type of security alert. You can limit your analysis to a specific type of alert, and then narrow the results further with a range of filters specific to each view. For example, in the secret scanning alert view, you can use the "Secret type" filter to view only secret scanning alerts for a specific secret, like a GitHub personal access token.
Nota:
Security overview displays active alerts raised by security features. If there are no alerts shown in security overview for a repository, undetected security vulnerabilities or code errors may still exist or the feature may not be enabled for that repository.
About security overview for organizations
The application security team at your company can use the different views for both broad and specific analyses of your organization's security status. For example, the team can use the "Overview" dashboard view to track your organization's security landscape and progression.
You can find security overview on the Security tab for any organization. Each view shows a summary of the data that you have access to. As you add filters, all data and metrics across the view change to reflect the repositories or alerts that you've selected.
Security overview has multiple views that provide different ways to explore enablement and alert data.
- Overview: visualize trends in Detection, Remediation, and Prevention of security alerts, see Viewing security insights.
- Risk and Alert views: explore the risk from security alerts of all types or focus on a single alert type and identify your risk from specific vulnerable dependencies, code weaknesses, or leaked secrets, see Assessing the security risk of your code.
- Coverage: assess the adoption of security features across repositories in the organization, see Assessing adoption of security features.
- Assessments: regardless of the enablement status of Advanced Security features, organizations on GitHub Team and GitHub Enterprise can run a free report to scan the code in the organization for leaked secrets, see About secret security with GitHub.
- Campaigns: coordinate and measure targeted remediation efforts, grouping related security tasks across repositories, assigning owners, and tracking progress toward defined risk‑reduction goals.
- Enablement trends: see how quickly different teams are adopting security features.
- CodeQL pull request alerts: assess the impact of running CodeQL on pull requests and how development teams are resolving code scanning alerts, see Viewing metrics for pull request alerts. Dependabot dashboard: prioritize and track critical vulnerabilities by identifying, remediating, and measuring security improvements across repositories.
- Secret scanning insights: find out which types of secret are blocked by push protection and which teams are bypassing push protection, see Viewing metrics for secret scanning push protection and Reviewing requests to bypass push protection.
You also create and manage security campaigns to remediate alerts from security overview, see Creating and managing security campaigns and Best practices for fixing security alerts at scale.
About security overview for enterprises
You can find security overview on the Security tab for your enterprise. Each page displays aggregated and repository-specific security information for your enterprise.
As with security overview for organizations, security overview for enterprises has multiple views that provide different ways to explore data.
Access to data in security overview
What you can see in security overview depends on your role and permissions in the organization or enterprise.
In general:
- Organization owners and security managers can view security data across all repositories in their organization.
- Organization members can view data only for repositories where they have access to security alerts.
- Enterprise owners can view aggregated security data in the enterprise-level security overview for organizations where they are an organization owner or security manager. To see repository-level details, they must have the appropriate role within the organization.
Security overview displays data only for repositories you have permission to view, and some views or actions may be limited based on your role.
For detailed, role-by-role permission information, including which views are available and how repository access affects visibility, see Security overview permissions.