About custom security configurations
With custom security configurations, you can create collections of enablement settings for GitHub's security products to meet the specific security needs of your organization. For example, you can create a different custom security configuration for each group of repositories to reflect their different levels of visibility, risk tolerance, and impact.
You can also choose whether or not you want to include GitHub Code Security or GitHub Secret Protection features in a configuration. For more information, see About GitHub Advanced Security.
- Only features installed by a site administrator on your GitHub Enterprise Server instance will appear in the UI.
- Some features will only be visible if your organization or GitHub Enterprise Server instance has purchased the relevant GitHub Advanced Security product (GitHub Code Security or GitHub Secret Protection).
- Certain features, like Dependabot security updates and code scanning default setup, also require that GitHub Actions is installed on the GitHub Enterprise Server instance.
Important
The order and names of some settings will differ depending on whether you are using licenses for the original GitHub Advanced Security product, or for the two new products: GitHub Code Security and GitHub Secret Protection. See Creating a GitHub Advanced Security configuration or Creating a Secret Protection and Code Security configuration.
Creating a Secret Protection and Code Security configuration
-
In the upper-right corner of GitHub, select your profile photo, then click Your organizations.
-
Under your organization name, click Settings. If you cannot see the "Settings" tab, select the dropdown menu, then click Settings.
-
In the "Security" section of the sidebar, select the Advanced Security dropdown menu, then click Configurations.
-
In the "Security configurations" section, click New configuration.
-
To help identify your custom security configuration and clarify its purpose on the "Security configurations" page, name your configuration and create a description.
-
Optionally, enable "Secret Protection", a paid feature for private repositories. Enabling Secret Protection enables alerts for secret scanning. In addition, you can choose whether to enable, disable, or keep the existing settings for the following secret scanning features:
- Non-provider patterns. To learn more about scanning for non-provider patterns, see Supported secret scanning patterns and Viewing and filtering alerts from secret scanning.
- Push protection. To learn about push protection, see About push protection.
- Bypass privileges. By assigning bypass privileges, selected organization members can bypass push protection, and there is a review and approval process for all other contributors. See About delegated bypass for push protection.
- Prevent direct alert dismissals. To learn more, see Enabling delegated alert dismissal for secret scanning.
-
Optionally, enable "Code Security", a paid feature for private repositories. You can choose whether to enable, disable, or keep the existing settings for the following code scanning features:
- Default setup. To learn more, see Configuring default setup for code scanning.
- Runner type. If you want to target specific runners for code scanning, you can choose to use custom-labeled runners at this step. See Configuring default setup for code scanning.
- Prevent direct alert dismissals. To learn more, see Enabling delegated alert dismissal for code scanning.
-
Still under "Code Security", in the "Dependency scanning" table, choose whether you want to enable, disable, or keep the existing settings for the following dependency scanning features:
- Dependency graph. To learn about dependency graph, see About the dependency graph.
Tip
When both "Code Security" and Dependency graph are enabled, this enables dependency review, see About dependency review.
- Dependabot alerts. To learn about Dependabot, see About Dependabot alerts.
- Security updates. To learn about security updates, see About Dependabot security updates.
- Dependency graph. To learn about dependency graph, see About the dependency graph.
-
Optionally, in the "Policy" section, you can use additional options to control how the configuration is applied:
- Use as default for newly created repositories. Select the None dropdown menu, then click Public, Private and internal, or All repositories.
Note
The default security configuration for an organization is only automatically applied to new repositories created in your organization. If a repository is transferred into your organization, you will still need to apply an appropriate security configuration to the repository manually.
- Enforce configuration. Block repository owners from changing features that are enabled or disabled by the configuration (features that are not set aren't enforced). Select Enforce from the dropdown menu.
- Use as default for newly created repositories. Select the None dropdown menu, then click Public, Private and internal, or All repositories.
-
To finish creating your custom security configuration, click Save configuration.
Note
If a user in your enterprise attempts to change the enablement status of a feature in an enforced configuration using the REST API, the API call will appear to succeed, but no enablement statuses will change.
Some situations can break the enforcement of security configurations for a repository. For example, the enablement of code scanning will not apply to a repository if:
- GitHub Actions is initially enabled on the repository, but is then disabled in the repository.
- GitHub Actions required by code scanning configurations are not available in the repository.
- Self-hosted runners with the label
code-scanningare not available. - The definition for which languages should not be analyzed using code scanning default setup is changed.
Creating a GitHub Advanced Security configuration
-
In the upper-right corner of GitHub, select your profile photo, then click Your organizations.
-
Under your organization name, click Settings. If you cannot see the "Settings" tab, select the dropdown menu, then click Settings.
-
In the "Security" section of the sidebar, select the Advanced Security dropdown menu, then click Configurations.
-
In the "Security configurations" section, click New configuration.
-
To help identify your custom security configuration and clarify its purpose on the "New configuration" page, name your configuration and create a description.
-
In the "GitHub Advanced Security features" row, choose whether to include or exclude GitHub Advanced Security (GHAS) features.
-
In the "Secret scanning" table, choose whether you want to enable, disable, or keep the existing settings for the following security features:
- Alerts. To learn about secret scanning alerts, see About secret scanning.
- Non-provider patterns. To learn more about scanning for non-provider patterns, see Supported secret scanning patterns and Viewing and filtering alerts from secret scanning.
- Push protection. To learn about push protection, see About push protection.
- Bypass privileges. By assigning bypass privileges, selected organization members can bypass push protection, and there is a review and approval process for all other contributors. See About delegated bypass for push protection.
- Prevent direct alert dismissals. To learn more, see Enabling delegated alert dismissal for secret scanning.
-
In the "Code scanning" table, choose whether you want to enable, disable, or keep the existing settings for code scanning default setup.
- Default setup. To learn more, see Configuring default setup for code scanning.
- Runner type. If you want to target specific runners for code scanning, you can choose to use custom-labeled runners at this step. See Configuring default setup for code scanning.
- Prevent direct alert dismissals. To learn more, see Enabling delegated alert dismissal for code scanning.
-
In the "Dependency scanning" table, choose whether you want to enable, disable, or keep the existing settings for the following dependency scanning features:
- Dependency graph. To learn about dependency graph, see About the dependency graph.
Tip
When both "GitHub Advanced Security" and Dependency graph are enabled, this enables dependency review, see About dependency review.
- Dependabot alerts. To learn about Dependabot, see About Dependabot alerts.
- Security updates. To learn about security updates, see About Dependabot security updates.
- Dependency graph. To learn about dependency graph, see About the dependency graph.
-
Optionally, in the "Policy" section, you can use additional options to control how the configuration is applied:
- Use as default for newly created repositories. Select the None dropdown menu, then click Public, Private and internal, or All repositories.
Note
The default security configuration for an organization is only automatically applied to new repositories created in your organization. If a repository is transferred into your organization, you will still need to apply an appropriate security configuration to the repository manually.
- Enforce configuration. Block repository owners from changing features that are enabled or disabled by the configuration (features that are not set aren't enforced). Select Enforce from the dropdown menu.
- Use as default for newly created repositories. Select the None dropdown menu, then click Public, Private and internal, or All repositories.
-
To finish creating your custom security configuration, click Save configuration.
Next steps
To apply your custom security configuration to repositories in your organization, see Applying a custom security configuration.
To learn how to edit your custom security configuration, see Editing a custom security configuration.