About securing your organization
GitHub has many features that help you improve and maintain the quality of your code. Some features are included in all GitHub plans. Additional features are available if you purchase a GitHub Advanced Security product:
- GitHub Secret Protection, which includes features that help you detect and prevent secret leaks, such as secret scanning and push protection.
- GitHub Code Security, which includes features that help you find and fix vulnerabilities, like code scanning, premium Dependabot features, and dependency review.
Alternatively, you may have a GitHub Advanced Security license that includes all features in GitHub Secret Protection and GitHub Code Security.
You can easily enable and manage GitHub's security features throughout your organization with security configurations, which control repository-level security features, and global settings, which control security features at the organization level. We recommend applying security configurations and customizing your global settings to create a system that best meets the security needs of your organization.
For more information on purchasing GitHub Secret Protection or GitHub Code Security, see About GitHub Advanced Security and Buying Advanced Security for your organization or enterprise in the GitHub Enterprise Cloud documentation.
About security configurations
Security configurations are collections of enablement settings for GitHub's security features that you can apply to any repository within your organization.
You can customize security configurations, allowing you to choose different enablement settings for groups of repositories with specific security needs.
You will only ever see enablement settings for features that have been installed on your GitHub Enterprise Server instance by an enterprise administrator.
To learn how to create custom security configurations, see Creating a custom security configuration.
Примечание.
If a user in your organization attempts to change the enablement status of a feature in an enforced configuration using the REST API, the API call will appear to succeed, but no enablement statuses will change.
Some situations can break the enforcement of security configurations for a repository. For example, the enablement of code scanning will not apply to a repository if:
- GitHub Actions is initially enabled on the repository, but is then disabled in the repository.
- GitHub Actions required by code scanning configurations are not available in the repository.
- Self-hosted runners with the label code-scanningare not available.
- The definition for which languages should not be analyzed using code scanning default setup is changed.
Each repository can only have one security configuration applied to it.
About global settings
While security configurations determine repository-level security settings, global settings determine your organization-level security settings, which are then inherited by all repositories. With global settings, you can customize how security features analyze your organization.
About enabling secure access to private registries
If your organization uses private registries, providing code scanning and Dependabot secure access to these registries will improve code analysis and allow Dependabot to update a wider range of dependencies. For information, see Giving security features access to private registries.
Next steps
To get started with creating a security configuration for your organization, see Creating a custom security configuration.