Skip to content

Latest commit

 

History

History
150 lines (98 loc) · 14.5 KB

managing-security-and-analysis-settings-for-your-organization.md

File metadata and controls

150 lines (98 loc) · 14.5 KB
title intro permissions redirect_from versions topics shortTitle
Managing security and analysis settings for your organization
You can control features that secure and analyze the code in your organization's projects on {% data variables.product.prodname_dotcom %}.
Organization owners can manage security and analysis settings for repositories in the organization.
/github/setting-up-and-managing-organizations-and-teams/managing-secret-scanning-for-your-organization
/github/setting-up-and-managing-organizations-and-teams/managing-security-and-analysis-settings-for-your-organization
/organizations/keeping-your-organization-secure/managing-security-and-analysis-settings-for-your-organization
fpt ghes ghec
*
*
*
Organizations
Teams
Manage security & analysis

About management of security and analysis settings

{% data variables.product.prodname_dotcom %} can help you to secure the repositories in your organization. You can manage the security and analysis features for all existing or new repositories that members create in your organization. {% ifversion ghec %}If you have a license for {% data variables.product.prodname_GH_advanced_security %} then you can also manage access to these features. {% data reusables.advanced-security.more-info-ghas %}{% endif %}{% ifversion fpt %}Organizations that use {% data variables.product.prodname_ghe_cloud %} with a license for {% data variables.product.prodname_GH_advanced_security %} can also manage access to these features. For more information, see the {% data variables.product.prodname_ghe_cloud %} documentation.{% endif %}

{% ifversion ghec or ghes %}If your organization is owned by an enterprise with a license for {% data variables.product.prodname_GH_advanced_security %}, then extra options for managing security and analysis settings may be available. For more information, see "AUTOTITLE."{% endif %}

{% data reusables.security.some-security-and-analysis-features-are-enabled-by-default %} {% ifversion security-configurations %} {% data reusables.security-configurations.enable-security-features-with-gh-config %}

{% endif %} {% data reusables.security.security-and-analysis-features-enable-read-only %}

{% ifversion pre-security-configurations %}

Displaying the security and analysis settings

{% data reusables.profile.access_org %} {% data reusables.profile.org_settings %} {% data reusables.organizations.security-and-analysis %}

The page that's displayed allows you to enable or disable all security and analysis features for the repositories in your organization.

If you have a license for {% data variables.product.prodname_GH_advanced_security %}, the page will also contain options to enable and disable {% data variables.product.prodname_advanced_security %} features. Any repositories that use {% data variables.product.prodname_GH_advanced_security %} are listed at the bottom of the page.

Enabling or disabling a feature for all existing repositories

You can enable or disable features for all repositories.

{% ifversion code-security-multi-repo-enablement %} You can use security overview to find a set of repositories and enable or disable security features for them all at the same time. For more information, see "AUTOTITLE." {% endif %}

{% data reusables.advanced-security.note-org-enable-uses-seats %}

Note

If you encounter an error that reads "GitHub Advanced Security cannot be enabled because of a policy setting for the organization," contact your enterprise admin and ask them to change the GitHub Advanced Security policy for your enterprise. For more information, see "AUTOTITLE."

{% ifversion dependabot-alerts-enterprise-enablement %}

Note

When {% data variables.product.prodname_dependabot_alerts %} are enabled or disabled at the enterprise level, it overrides the organization level settings for {% data variables.product.prodname_dependabot_alerts %}. For more information, see "AUTOTITLE."

{% endif %}

  1. Go to the security and analysis settings for your organization. For more information, see "Displaying the security and analysis settings."

  2. Under "Code security and analysis", to the right of the feature, click Disable all or Enable all to display a confirmation dialog box. The control for "{% data variables.product.prodname_GH_advanced_security %}" is disabled if you have no available {% ifversion ghas-billing-UI-update %}licenses{% else %}seats{% endif %} for {% data variables.product.prodname_GH_advanced_security %}.

  3. Review the information in the dialog box.

  4. Optionally, if you are enabling private vulnerability reporting, dependency graph, or {% data variables.product.prodname_dependabot %}, select Enable by default for new repositories.

    Screenshot of the "Enable FEATURE" modal dialog, with the "Enable by default for new private repositories" option highlighted with a dark orange outline.

  5. When you are ready to make the changes, click Disable FEATURE or Enable FEATURE to disable or enable the feature for all the repositories in your organization.

  6. Optionally, in your feature's section of the security and analysis settings, select additional enablement settings. Additional enablement settings may include:

    • Automatic enablement for a specific type of repository
    • Feature-specific settings, such as recommending the extended query suite for {% data variables.product.prodname_code_scanning %} default setup throughout your organization, or automatic secret validation for {% data variables.product.prodname_secret_scanning %}

    [!NOTE]

    • {% data reusables.code-scanning.limitation-org-enable-all %}{% ifversion bulk-code-scanning-query-suite %}
    • Enabling {% data variables.product.prodname_code_scanning %} for all eligible repositories in an organization will not override existing {% data variables.product.prodname_code_scanning %} configurations. For information on configuring default setup with different settings for specific repositories, see "AUTOTITLE{% ifversion code-security-multi-repo-enablement %}" and "AUTOTITLE{% endif %}."{% endif %}

{% data reusables.security.displayed-information %}

Enabling or disabling a feature automatically when new repositories are added

  1. Go to the security and analysis settings for your organization. For more information, see "Displaying the security and analysis settings."
  2. Under "Code security and analysis", locate the feature, enable or disable the feature by default for new repositories in your organization.

{% endif %}

Allowing {% data variables.product.prodname_dependabot %} to access private{% ifversion ghec or ghes %} or internal{% endif %} dependencies

{% data variables.product.prodname_dependabot %} can check for outdated dependency references in a project and automatically generate a pull request to update them. To do this, {% data variables.product.prodname_dependabot %} must have access to all of the targeted dependency files. Typically, version updates will fail if one or more dependencies are inaccessible. For more information, see "AUTOTITLE."

By default, {% data variables.product.prodname_dependabot %} can't update dependencies that are located in private{% ifversion ghec or ghes %} or internal{% endif %} repositories, or private{% ifversion ghec or ghes %} or internal{% endif %} package registries. However, if a dependency is in a private{% ifversion ghec or ghes %} or internal{% endif %} {% data variables.product.prodname_dotcom %} repository within the same organization as the project that uses that dependency, you can allow {% data variables.product.prodname_dependabot %} to update the version successfully by giving it access to the host repository.

If your code depends on packages in a private{% ifversion ghec or ghes %} or internal{% endif %} registry, you can allow {% data variables.product.prodname_dependabot %} to update the versions of these dependencies by configuring this at the repository level. You do this by adding authentication details to the dependabot.yml file for the repository. For more information, see "AUTOTITLE."

{% ifversion ghec %}

Note

For the option to grant {% data variables.product.prodname_dependabot %} access to private or internal repositories to be available, you need {% data variables.product.prodname_dependabot_version_updates %} or {% data variables.product.prodname_dependabot_security_updates %} to be enabled on at least one repository within the organization.

{% endif %}

{% ifversion security-configurations %}

For more information on how to grant {% data variables.product.prodname_dependabot %} access to private{% ifversion ghec or ghes %} or internal{% endif %} dependencies, see "AUTOTITLE."

{% else %}

To allow {% data variables.product.prodname_dependabot %} to access a private or internal {% data variables.product.prodname_dotcom %} repository:

  1. Go to the security and analysis settings for your organization. For more information, see "Displaying the security and analysis settings."

  2. Under "Grant {% data variables.product.prodname_dependabot %} private repository access", click Add internal and private repositories to display a repository search field.

    Screenshot of the dropdown that you can use to search for repositories. As you type, repositories whose name matches your search criteria will appear in the list. The search text field is highlighted with a dark orange outline.

  3. Start typing the name of the repository you want to grant {% data variables.product.prodname_dependabot %} access to.

  4. A list of matching repositories in the organization is displayed, click the repository you want to allow access to and this adds the repository to the allowed list.

  5. Optionally, to remove a repository from the list, to the right of the repository, click {% octicon "x" aria-label="The X icon" %}.

{% endif %}

Removing access to {% data variables.product.prodname_GH_advanced_security %} from individual repositories in an organization

{% ifversion security-configurations %}

You can use {% data variables.product.prodname_security_configurations %} to remove access to {% data variables.product.prodname_GH_advanced_security %} from individual repositories in an organization. For more information, see "AUTOTITLE."

{% else %}

You can manage access to {% data variables.product.prodname_GH_advanced_security %} features for a repository from its "Settings" tab. For more information, see "AUTOTITLE." However, you can also disable {% data variables.product.prodname_GH_advanced_security %} features for a repository from the "Settings" tab for the organization.

  1. Go to the security and analysis settings for your organization. For more information, see "Displaying the security and analysis settings."
  2. To see a list of all the repositories in your organization with {% data variables.product.prodname_GH_advanced_security %} enabled, scroll to the "{% data variables.product.prodname_GH_advanced_security %} repositories" section.

The table lists the number of unique committers for each repository. This is the number of {% ifversion ghas-billing-UI-update %}licenses{% else %}seats{% endif %} you could free up by removing access to {% data variables.product.prodname_GH_advanced_security %}. For more information, see "AUTOTITLE."

  1. To remove access to {% data variables.product.prodname_GH_advanced_security %} from a repository and free up {% ifversion ghas-billing-UI-update %}licenses{% else %}seats{% endif %} used by any active committers that are unique to the repository, click the adjacent {% octicon "x" aria-label="X symbol" %}.
  2. In the confirmation dialog, click Remove repository to remove access to the features of {% data variables.product.prodname_GH_advanced_security %}.

Note

If you remove access to {% data variables.product.prodname_GH_advanced_security %} for a repository, you should communicate with the affected development team so that they know that the change was intended. This ensures that they don't waste time debugging failed runs of code scanning.

{% endif %}

Further reading