About securing your organization
GitHub has many features that help you improve and maintain the quality of your code. Some features are included in all GitHub plans. Additional features are available to organizations on GitHub Team and GitHub Enterprise Cloud that purchase a GitHub Advanced Security product:
- GitHub Secret Protection,包括可帮助你检测和防止机密泄露的功能,例如 secret scanning 和推送保护。
- GitHub Code Security,包括有助于查找和修复漏洞的功能,例如 code scanning、高级 Dependabot 功能和依赖项评审。
或者,你可以拥有 GitHub Advanced Security 许可证,其中包括 GitHub Secret Protection 和 GitHub Code Security 中的所有功能。
You can easily enable and manage GitHub's security features throughout your organization with security configurations, which control repository-level security features, and global settings, which control security features at the organization level. We recommend applying security configurations and customizing your global settings to create a system that best meets the security needs of your organization.
For more information on purchasing GitHub Secret Protection or GitHub Code Security, see 关于 GitHub 高级安全性 and 为组织或企业购买高级安全性.
About security configurations
Security configurations 是 GitHub 安全功能的启用设置集合,可应用于组织内的任何存储库。
There are two types of security configuration:
- The GitHub-recommended security configuration. This configuration is a collection of enablement settings created and managed by subject matter experts at GitHub. The GitHub-recommended security configuration is designed to adequately secure any repository, and can easily be applied to all repositories in your organization.
- Custom security configurations. These are configurations you can create and edit yourself, allowing you to choose different enablement settings for groups of repositories with specific security needs.
注意
如果组织中的用户尝试使用 REST API 更改强制配置中某个功能的启用状态,则 API 调用将显示为成功,但不会更改任何启用状态。
在某些情况下,可能会中断存储库的 security configurations 强制实施。 例如,在以下情况下,code scanning 的启用将不适用于存储库:
- GitHub Actions 最初在存储库上启用,但在存储库中禁用。
- code scanning 配置所需的 GitHub Actions 在存储库中不可用。
- 不应使用 code scanning 默认设置分析语言的定义已更改。
Each repository can only have one security configuration applied to it. To find out how you should get started with security configurations, see 为存储库选择安全配置.
You can also create and manage security configurations using the REST API. For more information, see 配置.
About global settings
While security configurations determine repository-level security settings, global settings determine your organization-level security settings, which are then inherited by all repositories. With global settings, you can customize how security features analyze your organization.
About enabling secure access to private registries
If your organization uses private registries, providing code scanning and Dependabot secure access to these registries will improve code analysis and allow Dependabot to update a wider range of dependencies. For information, see 授予安全功能访问专用注册表的权限.
About integrating production context
If your organization uses Microsoft Defender for Cloud, JFrog Artifactory, or CI/CD to promote artifacts to production, you can integrate this data into GitHub. This production context helps you prioritize code scanning and Dependabot alerts. For more information, see Prioritizing Dependabot and code scanning alerts using production context.
Next steps
To determine which security configurations are right for the repositories in your organization, see 为存储库选择安全配置.