Code security configurations available at the enterprise level (#53229)

Co-authored-by: Anne-Marie <102995847+am-stead@users.noreply.github.com> Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> Co-authored-by: Zack Fernandes <zackfern@github.com> Co-authored-by: Melanie Yarbrough <11952755+myarb@users.noreply.github.com>
2025-12-19 09:57:42 -05:00 · 2024-12-12 18:10:31 +00:00
parent 5a579b823d
commit b3ac0749c2
22 changed files with 402 additions and 6 deletions
--- a/content/admin/managing-code-security/index.md
+++ b/content/admin/managing-code-security/index.md
@@ -11,7 +11,7 @@ topics:
 children:
  - /managing-github-advanced-security-for-your-enterprise
  - /managing-supply-chain-security-for-your-enterprise
+  - /securing-your-enterprise
 redirect_from:
  - /admin/code-security
 ---
-
--- a/content/admin/managing-code-security/securing-your-enterprise/about-security-configurations.md
+++ b/content/admin/managing-code-security/securing-your-enterprise/about-security-configurations.md
@@ -0,0 +1,43 @@
+---
+title: About security configurations
+shortTitle: Security configurations
+intro: 'Security configurations are collections of security settings that you can apply across your enterprise.'
+product: '{% data reusables.gated-features.security-configurations-enterprise %}'
+versions:
+  feature: security-configuration-enterprise-level
+topics:
+  - Advanced Security
+  - Enterprise
+  - Security
+---
+
+## About {% data variables.product.prodname_security_configurations %}
+
+{% data variables.product.prodname_security_configurations_caps %} simplify the rollout of {% data variables.product.company_short %} security products at scale by helping you define collections of security settings and apply them across your enterprise.
+
+{% ifversion security-configurations-cloud %}
+
+We recommend securing your enterprise with the {% data variables.product.prodname_github_security_configuration %}, then evaluating the security findings on your repositories before configuring {% data variables.product.prodname_custom_security_configurations %}. For more information, see "[AUTOTITLE](/admin/managing-code-security/securing-your-enterprise/applying-the-github-recommended-security-configuration-to-your-enterprise)."
+
+{% endif %}
+
+With {% data variables.product.prodname_custom_security_configurations %}, you can create collections of enablement settings for {% data variables.product.company_short %}'s security products to meet the specific security needs of your enterprise. For example, you can create a different {% data variables.product.prodname_custom_security_configuration %} for each organization or group of similar organizations to reflect their different levels of security requirements and compliance obligations. For more information, see "[AUTOTITLE](/admin/managing-code-security/securing-your-enterprise/creating-a-custom-security-configuration-for-your-enterprise)."
+
+{% ifversion security-configurations-ghes-only %}
+
+When creating a security configuration, keep in mind that:
+* Only features installed by a site administrator on your {% data variables.product.prodname_ghe_server %} instance will appear in the UI.
+* {% data variables.product.prodname_GH_advanced_security %} features will only be visible if your enterprise or {% data variables.product.prodname_ghe_server %} instance holds a {% data variables.product.prodname_GH_advanced_security %} license.
+* Certain features, like {% data variables.product.prodname_dependabot_security_updates %} and {% data variables.product.prodname_code_scanning %} default setup, also require that {% data variables.product.prodname_actions %} is installed on the {% data variables.product.prodname_ghe_server %} instance.
+
+{% endif %}
+
+{% data reusables.security-configurations.emu-note %}
+
+{% data reusables.security-configurations.security-features-use-actions %}
+
+## Preserving default settings for new repositories
+
+If you had default security settings in place for newly created repositories, {% data variables.product.github %} will preserve these settings by automatically creating a "New repository default settings" security configuration for your enterprise. The configuration matches your previous enterprise-level default settings for new repositories as of December, 2024.
+
+The "New repository default settings" configuration will automatically get applied to any newly created repositories in your enterprise, if no organization-level defaults are set.
--- a/content/admin/managing-code-security/securing-your-enterprise/applying-a-custom-security-configuration-to-your-enterprise.md
+++ b/content/admin/managing-code-security/securing-your-enterprise/applying-a-custom-security-configuration-to-your-enterprise.md
@@ -0,0 +1,34 @@
+---
+title: Applying a custom security configuration to your enterprise
+shortTitle: Apply custom configuration
+intro: 'You can apply your {% data variables.product.prodname_custom_security_configuration %} to organizations and repositories in your organization to meet the specific security needs of your enterprise.'
+permissions: '{% data reusables.permissions.security-configuration-enterprise-enable %}'
+versions:
+  feature: security-configuration-enterprise-level
+topics:
+  - Advanced Security
+  - Organizations
+  - Security
+---
+
+## About applying a {% data variables.product.prodname_custom_security_configuration %}
+
+After you create a {% data variables.product.prodname_custom_security_configuration %}, you need to apply it to repositories in your enterprise to enable the configuration's settings on those repositories.
+
+{% data reusables.security-configurations.security-features-use-actions %}
+
+## Applying your {% data variables.product.prodname_custom_security_configuration %} to repositories in your enterprise
+
+{% data reusables.enterprise-accounts.access-enterprise %}
+{% data reusables.enterprise-accounts.settings-tab %}
+1. In the left sidebar, click **Code security**.
+1. To the right of the configuration you want to apply, select the **Apply to** {% octicon "triangle-down" aria-hidden="true" %} dropdown menu, then click **All repositories** or **All repositories without configurations**.
+{% data reusables.security-configurations.apply-configuration-by-default %}
+
+{% data reusables.security-configurations.apply-configuration %}
+
+{% data reusables.security-configurations.failure-handling-enterprise %}
+
+## Next steps
+
+To learn how to edit your {% data variables.product.prodname_custom_security_configuration %}, see "[AUTOTITLE](/admin/managing-code-security/securing-your-enterprise/editing-a-custom-security-configuration)."
--- a/content/admin/managing-code-security/securing-your-enterprise/applying-the-github-recommended-security-configuration-to-your-enterprise.md
+++ b/content/admin/managing-code-security/securing-your-enterprise/applying-the-github-recommended-security-configuration-to-your-enterprise.md
@@ -0,0 +1,40 @@
+---
+title: Applying the GitHub-recommended security configuration to your enterprise
+shortTitle: Apply recommended configuration
+intro: 'Secure your code with the security enablement settings created, managed, and recommended by {% data variables.product.github %}.'
+permissions: '{% data reusables.permissions.security-configuration-enterprise-enable %}'
+versions:
+  ghec: '*'
+topics:
+  - Advanced Security
+  - Enterprise
+  - Security
+---
+
+## About the {% data variables.product.prodname_github_security_configuration %}
+
+The {% data variables.product.prodname_github_security_configuration %} is a set of industry best practices and features that provide a robust, baseline security posture for enterprises. This configuration is created and maintained by subject matter experts at {% data variables.product.github %}, with the help of multiple industry leaders and experts. The {% data variables.product.prodname_github_security_configuration %} is designed to successfully reduce the security risks for low- and high-impact repositories. We recommend you apply this configuration to all the repositories in your enterprise.
+
+{% data reusables.security-configurations.github-recommended-warning-enterprise %}
+
+## Applying the {% data variables.product.prodname_github_security_configuration %} to  repositories in your enterprise
+
+{% data reusables.enterprise-accounts.access-enterprise %}
+{% data reusables.enterprise-accounts.settings-tab %}
+1. In the left sidebar, click **Code security**.
+1. In the "{% data variables.product.company_short %} recommended" row of the configurations table for your enterprise, select the **Apply to** {% octicon "triangle-down" aria-hidden="true" %} dropdown menu, then click **All repositories** or **All repositories without configurations**.
+{% data reusables.security-configurations.apply-configuration-by-default %}
+
+{% data reusables.security-configurations.apply-configuration %}
+
+{% data reusables.security-configurations.failure-handling-enterprise %}
+
+## Enforcing the {% data variables.product.prodname_github_security_configuration %}
+
+{% data reusables.enterprise-accounts.access-enterprise %}
+{% data reusables.enterprise-accounts.settings-tab %}
+1. In the left sidebar, click **Code security**.
+1. In the "Configurations" section, select "{% data variables.product.company_short %} recommended".
+1. In the "Policy" section, next to "Enforce configuration", select **Enforce** from the dropdown menu.
+
+{% data reusables.code-scanning.custom-security-configuration-enforcement-edge-cases-enterprise %}
--- a/content/admin/managing-code-security/securing-your-enterprise/configuring-additional-secret-scanning-settings-for-your-enterprise.md
+++ b/content/admin/managing-code-security/securing-your-enterprise/configuring-additional-secret-scanning-settings-for-your-enterprise.md
@@ -0,0 +1,49 @@
+---
+title: Configuring additional secret scanning settings for your enterprise
+shortTitle: Configure additional settings
+intro: 'Learn how to configure additional {% data variables.product.prodname_secret_scanning %} settings for your enterprise.'
+permissions: '{% data reusables.permissions.security-configuration-enterprise-enable %}'
+versions:
+  feature: security-configuration-enterprise-level
+topics:
+  - Advanced Security
+  - Enterprise
+  - Security
+---
+
+## About additional settings for {% data variables.product.prodname_secret_scanning %}
+
+There are some additional {% data variables.product.prodname_secret_scanning %} settings that cannot be applied to repositories using {% data variables.product.prodname_security_configurations %}, so you must configure these settings separately:
+
+* [Configuring a resource link for push protection](/admin/managing-code-security/securing-your-enterprise/configuring-additional-secret-scanning-settings-for-your-enterprise#configuring-a-resource-link-for-push-protection){% ifversion secret-scanning-ai-generic-secret-detection %}
+* [Configuring AI detection to find additional secrets](/admin/managing-code-security/securing-your-enterprise/configuring-additional-secret-scanning-settings-for-your-enterprise#configuring-ai-detection-to-find-additional-secrets){% endif %}
+
+These additional settings only apply to repositories with both {% data variables.product.prodname_GH_advanced_security %} and {% data variables.product.prodname_secret_scanning %} enabled.
+
+## Accessing the additional settings for {% data variables.product.prodname_secret_scanning %}
+
+{% data reusables.enterprise-accounts.access-enterprise %}
+{% data reusables.enterprise-accounts.settings-tab %}
+1. In the left sidebar, click **Code security**.
+1. Scroll down the page to the "Additional settings" section.
+
+### Configuring a resource link for push protection
+
+To provide context for developers when {% data variables.product.prodname_secret_scanning %} blocks a commit, you can display a link with more information on why the commit was blocked.
+
+1. Under "Additional settings", to the right of "Resource link for push protection", click **{% octicon "pencil" aria-hidden="true" %}**.
+1. In the text box, type the link to the desired resource, then click **{% octicon "check" aria-label="Save" %}**.
+
+{% ifversion secret-scanning-ai-generic-secret-detection %}
+
+### Configuring AI detection to find additional secrets
+
+{% data variables.secret-scanning.copilot-secret-scanning %}'s {% data variables.secret-scanning.generic-secret-detection %} is an AI-powered expansion of {% data variables.product.prodname_secret_scanning %} that scans and creates alerts for unstructured secrets, such as passwords.
+
+1. Under "Additional settings", to the right of "Use AI detection to find additional secrets", ensure the setting is toggled to "On".
+
+{% data reusables.secret-scanning.copilot-secret-scanning-generic-secrets-subscription-note %}
+
+To learn more about generic secrets, see "[AUTOTITLE](/code-security/secret-scanning/copilot-secret-scanning/responsible-ai-generic-secrets)."
+
+{% endif %}
--- a/content/admin/managing-code-security/securing-your-enterprise/creating-a-custom-security-configuration-for-your-enterprise.md
+++ b/content/admin/managing-code-security/securing-your-enterprise/creating-a-custom-security-configuration-for-your-enterprise.md
@@ -0,0 +1,110 @@
+---
+title: Creating a custom security configuration for your enterprise
+shortTitle: Create custom configuration
+intro: 'Build a {% data variables.product.prodname_custom_security_configuration %} to meet the specific security needs of your enterprise.'
+permissions: '{% data reusables.permissions.security-configuration-enterprise-enable %}'
+versions:
+  feature: security-configuration-enterprise-level
+topics:
+  - Advanced Security
+  - Enterprise
+  - Security
+---
+
+## About {% data variables.product.prodname_custom_security_configurations %}
+
+{% ifversion security-configurations-cloud %}
+
+We recommend securing your enterprise with the {% data variables.product.prodname_github_security_configuration %}, then evaluating the security findings on your repositories before configuring {% data variables.product.prodname_custom_security_configurations %}. For more information, see "[AUTOTITLE](/admin/managing-code-security/securing-your-enterprise/applying-the-github-recommended-security-configuration-to-your-enterprise)."
+
+{% endif %}
+
+With {% data variables.product.prodname_custom_security_configurations %}, you can create collections of enablement settings for {% data variables.product.company_short %}'s security products to meet the specific security needs of your enterprise. For example, you can create a different {% data variables.product.prodname_custom_security_configuration %} for each organization or group of organizations to reflect their unique security requirements and compliance obligations.
+
+{% ifversion security-configurations-ghes-only %}
+
+When creating a security configuration, keep in mind that:
+* Only features installed by a site administrator on your {% data variables.product.prodname_ghe_server %} instance will appear in the UI.
+* {% data variables.product.prodname_GH_advanced_security %} features will only be visible if your enterprise or {% data variables.product.prodname_ghe_server %} instance holds a {% data variables.product.prodname_GH_advanced_security %} license.
+* Certain features, like {% data variables.product.prodname_dependabot_security_updates %} and {% data variables.product.prodname_code_scanning %} default setup, also require that {% data variables.product.prodname_actions %} is installed on the {% data variables.product.prodname_ghe_server %} instance.
+
+{% endif %}
+
+## Creating a {% data variables.product.prodname_custom_security_configuration %}
+
+{% ifversion security-configurations-cloud %}
+<!-- Note: this article has two entirely separate procedures for cloud and server users. -->
+
+>[!NOTE]
+> The enablement status of some security features is dependent on other, higher-level security features. For example, disabling dependency graph will also disable automatic dependency submission, {% data variables.product.prodname_dependabot_alerts %}, vulnerability exposure analysis, and security updates.
+
+{% data reusables.enterprise-accounts.access-enterprise %}
+{% data reusables.enterprise-accounts.settings-tab %}
+1. In the left sidebar, click **Code security**.
+1. In the "Configurations" section, click **New configuration**.
+1. To help identify your {% data variables.product.prodname_custom_security_configuration %} and clarify its purpose on the "Configurations" page, name your configuration and create a description.
+1. In the "{% data variables.product.prodname_GH_advanced_security %} features" row, choose whether to include or exclude {% data variables.product.prodname_GH_advanced_security %} (GHAS) features. If you plan to apply a {% data variables.product.prodname_custom_security_configuration %} with GHAS features to private repositories, you must have available GHAS licenses for each active unique committer to those repositories, or the features will not be enabled. See "[AUTOTITLE](/billing/managing-billing-for-your-products/managing-billing-for-github-advanced-security/about-billing-for-github-advanced-security)."
+1. In the "Dependency graph and {% data variables.product.prodname_dependabot %}" section of the security settings table, choose whether you want to enable, disable, or keep the existing settings for the following security features:
+    * Dependency graph. To learn about dependency graph, see "[AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph)."{%- ifversion maven-transitive-dependencies %}
+    * Automatic dependency submission. To learn about automatic dependency submission, see "[AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/configuring-automatic-dependency-submission-for-your-repository)."{%- endif %}
+    * {% data variables.product.prodname_dependabot_alerts %}. To learn about {% data variables.product.prodname_dependabot_alerts %}, see "[AUTOTITLE](/code-security/dependabot/dependabot-alerts/about-dependabot-alerts)."
+    * Security updates. To learn about security updates, see "[AUTOTITLE](/code-security/dependabot/dependabot-security-updates/about-dependabot-security-updates)."
+
+    > [!NOTE]
+    > You cannot manually change the enablement settings for vulnerable function calls. If {% data variables.product.prodname_GH_advanced_security %} features and {% data variables.product.prodname_dependabot_alerts %} are enabled, vulnerable function calls is also enabled. Otherwise, it is disabled.
+
+1. In the "{% data variables.product.prodname_code_scanning_caps %}" section of the security settings table, choose whether you want to enable, disable, or keep the existing settings for {% data variables.product.prodname_code_scanning %} default setup. To learn about default setup, see "[AUTOTITLE](/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning#about-default-setup)."
+1. In the "{% data variables.product.prodname_secret_scanning_caps %}" section of the security settings table, choose whether you want to enable, disable, or keep the existing settings for the following security features:
+    * Alerts. To learn about {% data variables.product.prodname_secret_scanning %}, see "[AUTOTITLE](/code-security/secret-scanning/introduction/about-secret-scanning)."{% ifversion org-npp-enablement-security-configurations %}
+    * Non-provider patterns. To learn more about scanning for non-provider patterns, see "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#non-provider-patterns)" and "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/viewing-alerts)."{% endif %}
+    * Push protection. To learn about push protection, see "[AUTOTITLE](/code-security/secret-scanning/introduction/about-push-protection)."
+1. In the "Private vulnerability reporting" section of the security settings table, choose whether you want to enable, disable, or keep the existing settings for private vulnerability reporting. To learn about private vulnerability reporting, see "[AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/configuring-private-vulnerability-reporting-for-a-repository)."
+1. Optionally, in the "Policy" section, you can choose to automatically apply the {% data variables.product.prodname_security_configuration %} to newly created repositories depending on their visibility. Select the **None** {% octicon "triangle-down" aria-hidden="true" %} dropdown menu, then click **Public**, **Private and internal**, or **All repositories**.
+1. Optionally, in the "Policy" section, you can enforce the configuration and block repository owners from changing features that are enabled or disabled by the configuration (features that are not set aren't enforced). Next to "Enforce configuration", select **Enforce** from the dropdown menu.
+
+    {% data reusables.code-scanning.custom-security-configuration-enforcement-edge-cases-enterprise %}
+
+1. To finish creating your {% data variables.product.prodname_custom_security_configuration %}, click **Save configuration**.
+
+{% elsif security-configurations-ghes-only %}
+
+>[!NOTE]
+> The enablement status of some security features is dependent on other, higher-level security features. For example, disabling {% data variables.secret-scanning.alerts %} will also disable non-provider patterns and push protection.
+
+{% data reusables.enterprise-accounts.access-enterprise %}
+{% data reusables.enterprise-accounts.settings-tab %}
+1. In the left sidebar, click **Code security**.
+1. In the "Configurations" section, click **New configuration**.
+1. To help identify your {% data variables.product.prodname_custom_security_configuration %} and clarify its purpose on the "Configurations" page, name your configuration and create a description.
+1. In the "{% data variables.product.prodname_GH_advanced_security %} features" row, choose whether to include or exclude {% data variables.product.prodname_GH_advanced_security %} (GHAS) features. If you plan to apply a {% data variables.product.prodname_custom_security_configuration %} with GHAS features to private repositories, you must have available GHAS licenses for each active unique committer to those repositories, or the features will not be enabled. See "[AUTOTITLE](/billing/managing-billing-for-your-products/managing-billing-for-github-advanced-security/about-billing-for-github-advanced-security)."
+1. In the "Dependency graph and {% data variables.product.prodname_dependabot %}" section of the security settings table, choose whether you want to enable, disable, or keep the existing settings for the following security features:
+    * {% data variables.product.prodname_dependabot_alerts %}. To learn about {% data variables.product.prodname_dependabot %}, see "[AUTOTITLE](/code-security/dependabot/dependabot-alerts/about-dependabot-alerts)."
+    > [!NOTE] {% data variables.dependabot.auto_triage_rules %} are not available to set at enterprise level. If an enterprise-level security configuration is applied to a repository, it can still have {% data variables.dependabot.auto_triage_rules %} enabled, but you can't turn off these rules at the level of the enterprise.
+    * Security updates. To learn about security updates, see "[AUTOTITLE](/code-security/dependabot/dependabot-security-updates/about-dependabot-security-updates)."
+    > [!NOTE]
+    > You cannot manually change the enablement setting for the dependency graph. This setting is installed and managed by a site administrator at the instance level.
+1. In the "{% data variables.product.prodname_code_scanning_caps %}" section of the security settings table, choose whether you want to enable, disable, or keep the existing settings for {% data variables.product.prodname_code_scanning %} default setup. To learn about default setup, see "[AUTOTITLE](/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning#about-default-setup)."
+1. In the "{% data variables.product.prodname_secret_scanning_caps %}" section of the security settings table, choose whether you want to enable, disable, or keep the existing settings for the following security features:
+    * Alerts. To learn about {% data variables.secret-scanning.alerts %}, see "[AUTOTITLE](/code-security/secret-scanning/introduction/about-secret-scanning)."{% ifversion org-npp-enablement-security-configurations %}
+    * Non-provider patterns. To learn more about scanning for non-provider patterns, see "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#non-provider-patterns)" and "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/viewing-alerts)."{% endif %}
+    * Push protection. To learn about push protection, see "[AUTOTITLE](/code-security/secret-scanning/introduction/about-push-protection)."
+{% ifversion push-protection-delegated-bypass-configurations %}
+1. Optionally, under "Push protection", choose whether you want to assign bypass privileges to selected actors in your organization. By assigning bypass privileges, selected organization members can bypass push protection, and there is a review and approval process for all other contributors. For further guidance on how to configure this setting, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection#configuring-delegated-bypass-for-an-organization)."
+{% endif %}
+1. Optionally, in the "Policy" section, you can choose to automatically apply the {% data variables.product.prodname_security_configuration %} to newly created repositories depending on their visibility. Select the **None** {% octicon "triangle-down" aria-hidden="true" %} dropdown menu, then click **Public**, or **Private and internal**, or **All repositories**.
+
+1. Optionally, in the "Policy" section, you can enforce the configuration and block repository owners from changing features that are enabled or disabled by the configuration (features that are not set aren't enforced). Next to "Enforce configuration", select **Enforce** from the dropdown menu.
+
+    {% data reusables.code-scanning.custom-security-configuration-enforcement-edge-cases-enterprise %}
+
+1. To finish creating your {% data variables.product.prodname_custom_security_configuration %}, click **Save configuration**.
+
+{% endif %}
+
+## Next steps
+
+To optionally configure additional {% data variables.product.prodname_secret_scanning %} settings for the enterprise, see "[AUTOTITLE](/admin/managing-code-security/securing-your-enterprise/configuring-additional-secret-scanning-settings-for-your-enterprise)."
+
+To apply your {% data variables.product.prodname_custom_security_configuration %} to repositories in your organization, see "[AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization/applying-a-custom-security-configuration)."
+
+{% data reusables.security-configurations.edit-configuration-next-step %}
--- a/content/admin/managing-code-security/securing-your-enterprise/deleting-a-custom-security-configuration.md
+++ b/content/admin/managing-code-security/securing-your-enterprise/deleting-a-custom-security-configuration.md
@@ -0,0 +1,28 @@
+---
+title: Deleting a custom security configuration
+shortTitle: Delete custom configuration
+intro: 'You can delete unnecessary {% data variables.product.prodname_custom_security_configurations %} in your enterprise.'
+permissions: '{% data reusables.permissions.security-configuration-enterprise-enable %}'
+versions:
+  feature: security-configuration-enterprise-level
+topics:
+  - Advanced Security
+  - Enterprise
+  - Security
+---
+
+## About deleting a {% data variables.product.prodname_custom_security_configuration %}
+
+If you no longer need a {% data variables.product.prodname_custom_security_configuration %}, you can delete that configuration to ensure it will not be applied to any repositories in the future. If you want to delete a {% data variables.product.prodname_custom_security_configuration %} because you want to change the security enablement settings in that configuration, consider editing the configuration instead. For more information, see "[AUTOTITLE](/admin/managing-code-security/securing-your-enterprise/editing-a-custom-security-configuration)."
+
+> [!WARNING]
+> Deleting a {% data variables.product.prodname_custom_security_configuration %} will detach all repositories that are linked to that configuration. The existing security settings for those repositories will be unchanged, but you must apply a different {% data variables.product.prodname_security_configuration %} or manage their security settings at the repository level to keep their settings up to date.
+
+## Deleting a {% data variables.product.prodname_custom_security_configuration %} from your enterprise
+
+{% data reusables.enterprise-accounts.access-enterprise %}
+{% data reusables.enterprise-accounts.settings-tab %}
+1. In the left sidebar, click **Code security**.
+1. In the configurations table, click the name of the {% data variables.product.prodname_custom_security_configuration %} you want to delete.
+1. In the "Edit configuration" page, scroll to the bottom of the "Security settings" section, then click **Delete configuration**.
+1. Ensure you read the warning in the "Delete this configuration?" dialog, to confirm you are comfortable deleting the {% data variables.product.prodname_custom_security_configuration %}, then click **Delete configuration**.
--- a/content/admin/managing-code-security/securing-your-enterprise/editing-a-custom-security-configuration.md
+++ b/content/admin/managing-code-security/securing-your-enterprise/editing-a-custom-security-configuration.md
@@ -0,0 +1,37 @@
+---
+title: Editing a custom security configuration
+shortTitle: Edit custom configuration
+intro: 'Change the enablement settings in your {% data variables.product.prodname_custom_security_configuration %} to better meet the security needs of your repositories.'
+permissions: '{% data reusables.permissions.security-configuration-enterprise-enable %}'
+versions:
+  feature: security-configuration-enterprise-level
+topics:
+  - Advanced Security
+  - Organizations
+  - Security
+---
+
+## About editing a {% data variables.product.prodname_custom_security_configuration %}
+
+After creating and applying a {% data variables.product.prodname_custom_security_configuration %}, you may need to edit the enablement settings for that configuration to better secure your repositories. Any changes you make to the enablement settings of a {% data variables.product.prodname_security_configuration %} will automatically populate to all linked repositories.
+
+{% ifversion security-configurations-cloud %}
+
+> [!NOTE]
+> The {% data variables.product.prodname_github_security_configuration %} is managed by {% data variables.product.github %} and cannot be edited. If you would like to customize your security enablement settings, you need to create a {% data variables.product.prodname_custom_security_configuration %}. For more information, see "[AUTOTITLE](/admin/managing-code-security/securing-your-enterprise/creating-a-custom-security-configuration-for-your-enterprise)."
+
+{% endif %}
+
+## Modifying your {% data variables.product.prodname_custom_security_configuration %}
+
+{% data reusables.enterprise-accounts.access-enterprise %}
+{% data reusables.enterprise-accounts.settings-tab %}
+1. In the left sidebar, click **Code security**.
+1. In the "Configurations" section, click the name of the {% data variables.product.prodname_custom_security_configuration %} you want to edit.
+1. Edit the name and description of your {% data variables.product.prodname_custom_security_configuration %} as desired.
+1. In the "Security settings" section, edit the enablement settings of your {% data variables.product.prodname_custom_security_configuration %} as desired.
+1. In the "Policy" section, you can modify the configuration's enforcement status. Enforcing a configuration will block repository owners from changing features that are enabled or disabled by the configuration, but features that are not set aren't enforced. Next to "Enforce configuration", select **Enforce** or **Don't enforce** from the dropdown menu.
+
+    {% data reusables.code-scanning.custom-security-configuration-enforcement-edge-cases-enterprise %}
+
+1. To apply your changes, click **Update configuration**.
--- a/content/admin/managing-code-security/securing-your-enterprise/index.md
+++ b/content/admin/managing-code-security/securing-your-enterprise/index.md
@@ -0,0 +1,22 @@
+---
+title: Securing your enterprise
+shortTitle: Securing your enterprise
+intro: '{% ifversion security-configurations-cloud %}Enable the {% data variables.product.prodname_github_security_configuration %} or c{% elsif security-configurations-ghes-only %}C{% endif %}reate and apply {% data variables.product.prodname_custom_security_configurations %} to quickly secure your enterprise.'
+product: '{% data reusables.gated-features.ghas %}'
+versions:
+  feature: security-configuration-enterprise-level
+topics:
+  - Alerts
+  - Advanced Security
+  - Dependency graph
+  - Dependabot
+  - Repositories
+children:
+  - /about-security-configurations
+  - /applying-the-github-recommended-security-configuration-to-your-enterprise
+  - /creating-a-custom-security-configuration-for-your-enterprise
+  - /applying-a-custom-security-configuration-to-your-enterprise
+  - /configuring-additional-secret-scanning-settings-for-your-enterprise
+  - /editing-a-custom-security-configuration
+  - /deleting-a-custom-security-configuration
+---
--- a/content/code-security/securing-your-organization/enabling-security-features-in-your-organization/applying-the-github-recommended-security-configuration-in-your-organization.md
+++ b/content/code-security/securing-your-organization/enabling-security-features-in-your-organization/applying-the-github-recommended-security-configuration-in-your-organization.md
@@ -52,7 +52,6 @@ The {% data variables.product.prodname_github_security_configuration %} is a col
 1. In the "Code security configurations" section, select "{% data variables.product.company_short %} recommended".
 1. In the "Policy" section, next to "Enforce configuration", select **Enforce** from the dropdown menu.

->[!NOTE]
 {% data reusables.code-scanning.custom-security-configuration-enforcement-edge-cases %}

 ## Next steps
--- a/content/code-security/securing-your-organization/enabling-security-features-in-your-organization/creating-a-custom-security-configuration.md
+++ b/content/code-security/securing-your-organization/enabling-security-features-in-your-organization/creating-a-custom-security-configuration.md
@@ -71,7 +71,6 @@ When creating a security configuration, keep in mind that:
    {% data reusables.security-configurations.default-configuration-exception-repo-transfers %}
 1. Optionally, in the "Policy" section, you can enforce the configuration and block repository owners from changing features that are enabled or disabled by the configuration (features that are not set aren't enforced). Next to "Enforce configuration", select **Enforce** from the dropdown menu.

-    >[!NOTE]
    {% data reusables.code-scanning.custom-security-configuration-enforcement-edge-cases %}

 1. To finish creating your {% data variables.product.prodname_custom_security_configuration %}, click **Save configuration**.
@@ -105,7 +104,6 @@ When creating a security configuration, keep in mind that:
    {% data reusables.security-configurations.default-configuration-exception-repo-transfers %}
 1. Optionally, in the "Policy" section, you can enforce the configuration and block repository owners from changing features that are enabled or disabled by the configuration (features that are not set aren't enforced). Next to "Enforce configuration", select **Enforce** from the dropdown menu.

-    >[!NOTE]
    {% data reusables.code-scanning.custom-security-configuration-enforcement-edge-cases %}

 1. To finish creating your {% data variables.product.prodname_custom_security_configuration %}, click **Save configuration**.
--- a/content/code-security/securing-your-organization/introduction-to-securing-your-organization-at-scale/about-enabling-security-features-at-scale.md
+++ b/content/code-security/securing-your-organization/introduction-to-securing-your-organization-at-scale/about-enabling-security-features-at-scale.md
@@ -37,7 +37,6 @@ You will only ever see enablement settings for features that have been installed

 {% endif %}

->[!NOTE]
 {% data reusables.code-scanning.custom-security-configuration-enforcement-edge-cases %}

 Each repository can only have one {% data variables.product.prodname_security_configuration %} applied to it. {% ifversion security-configurations-cloud %}To find out how you should get started with {% data variables.product.prodname_security_configurations %}, see [AUTOTITLE](/code-security/securing-your-organization/introduction-to-securing-your-organization-at-scale/choosing-a-security-configuration-for-your-repositories).{% endif %}
--- a/content/code-security/securing-your-organization/managing-the-security-of-your-organization/editing-a-custom-security-configuration.md
+++ b/content/code-security/securing-your-organization/managing-the-security-of-your-organization/editing-a-custom-security-configuration.md
@@ -37,7 +37,6 @@ To determine if your {% data variables.product.prodname_custom_security_configur
 1. In the "Security settings" section, edit the enablement settings of your {% data variables.product.prodname_custom_security_configuration %} as desired.
 1. In the "Policy" section, you can modify the configuration's enforcement status. Enforcing a configuration will block repository owners from changing features that are enabled or disabled by the configuration, but features that are not set aren't enforced. Next to "Enforce configuration", select **Enforce** or **Don't enforce** from the dropdown menu.

-    >[!NOTE]
    {% data reusables.code-scanning.custom-security-configuration-enforcement-edge-cases %}

 1. To apply your changes, click **Update configuration**.
--- a/data/features/security-configuration-enterprise-level.yml
+++ b/data/features/security-configuration-enterprise-level.yml
@@ -0,0 +1,5 @@
+# Reference: #15381
+# Code security configurations at the enterprise level
+versions:
+  ghec: '*'
+  ghes: '>3.15'
--- a/data/reusables/code-scanning/custom-security-configuration-enforcement-edge-cases-enterprise.md
+++ b/data/reusables/code-scanning/custom-security-configuration-enforcement-edge-cases-enterprise.md
@@ -0,0 +1,8 @@
+> [!NOTE]
+> If a user in your enterprise attempts to change the enablement status of a feature in an enforced configuration using the REST API, the API call will appear to succeed, but no enablement statuses will change.
+>
+> Some situations can break the enforcement of {% data variables.product.prodname_security_configurations %} for a repository. For example, the enablement of {% data variables.product.prodname_code_scanning %} will not apply to a repository if:
+> * {% data variables.product.prodname_actions %} is initially enabled on the repository, but is then disabled in the repository.
+> * {% data variables.product.prodname_actions %} required by {% data variables.product.prodname_code_scanning %} configurations are not available in the repository.{% ifversion ghes %}
+> * Self-hosted runners with the label `code-scanning` are not available.{% endif %}
+> * The definition for which languages should not be analyzed using {% data variables.product.prodname_code_scanning %} default setup is changed.
--- a/data/reusables/code-scanning/custom-security-configuration-enforcement-edge-cases.md
+++ b/data/reusables/code-scanning/custom-security-configuration-enforcement-edge-cases.md
@@ -1,3 +1,4 @@
+> [!NOTE]
 > If a user in your organization attempts to change the enablement status of a feature in an enforced configuration using the REST API, the API call will appear to succeed, but no enablement statuses will change.
 >
 > Some situations can break the enforcement of {% data variables.product.prodname_security_configurations %} for a repository. For example, the enablement of {% data variables.product.prodname_code_scanning %} will not apply to a repository if:
--- a/data/reusables/gated-features/security-configurations-enterprise.md
+++ b/data/reusables/gated-features/security-configurations-enterprise.md
@@ -0,0 +1,15 @@
+{% data variables.product.prodname_security_configurations_caps %} is available for the following repositories:
+
+{% ifversion ghec %}
+
+  * Public repositories
+  * Private and internal repositories in organizations using {% data variables.product.prodname_ghe_cloud %} with [{% data variables.product.prodname_GH_advanced_security %}](/get-started/learning-about-github/about-github-advanced-security) enabled{% ifversion secret-scanning-user-owned-repos %}
+
+{% endif %}
+
+{% elsif ghes %}
+
+* Organization-owned repositories with [{% data variables.product.prodname_GH_advanced_security %}](/get-started/learning-about-github/about-github-advanced-security) enabled
+* {% ifversion secret-scanning-user-owned-repos %}User-owned repositories{% endif %} for an enterprise with {% data variables.product.prodname_GH_advanced_security %} enabled
+
+{% endif %}
--- a/data/reusables/permissions/security-configuration-enterprise-enable.md
+++ b/data/reusables/permissions/security-configuration-enterprise-enable.md
@@ -0,0 +1 @@
+{% ifversion ghec %}Enterprise owners and members with the **admin** role{% else %}Site administrators{% endif %}
--- a/data/reusables/security-configurations/emu-note.md
+++ b/data/reusables/security-configurations/emu-note.md
@@ -0,0 +1,5 @@
+{% ifversion ghec %}
+
+If your enterprise uses {% data variables.product.prodname_emus %}, please note that enterprise-level {% data variables.product.prodname_security_configurations %} are not automatically rolled out to user namespace repositories. There are some additional {% data variables.product.prodname_secret_scanning %} settings that can be applied to user namespace repositories within the enteprise, but you cannot apply enterprise-level  {% data variables.product.prodname_security_configurations %} to this type of user-owner repository.
+
+{% endif %}
--- a/data/reusables/security-configurations/failure-handling-enterprise.md
+++ b/data/reusables/security-configurations/failure-handling-enterprise.md
@@ -0,0 +1 @@
+If {% data variables.product.prodname_security_configurations %} fail to apply to some organizations in your enterprise, {% data variables.product.prodname_dotcom %} will display a banner on the UI to let you know. You can click the links on the banner to get more information about the organizations and repositories involved.
--- a/data/reusables/security-configurations/github-recommended-warning-enterprise.md
+++ b/data/reusables/security-configurations/github-recommended-warning-enterprise.md
@@ -0,0 +1 @@
+>[!WARNING] {% data variables.product.github %} may add new features to the {% data variables.product.prodname_github_security_configuration %} without warning. If you have concerns and prefer to test out features before they are turned on, we suggest you do not use the {% data variables.product.prodname_github_security_configuration %}.
--- a/data/reusables/security-configurations/security-features-use-actions.md
+++ b/data/reusables/security-configurations/security-features-use-actions.md
@@ -0,0 +1 @@
+>[!NOTE] Some features enabled in {% data variables.product.prodname_security_configurations %} may require Actions minutes to work. {% data variables.product.prodname_dotcom %} will let you know if that's the case when you apply the configuration to a repository. For more information about billing for {% data variables.product.prodname_actions %}, see "[AUTOTITLE](/billing/managing-billing-for-github-actions/about-billing-for-github-actions)."
				`@@ -0,0 +1 @@`
				`{% ifversion ghec %}Enterprise owners and members with the admin role{% else %}Site administrators{% endif %}`
				`@@ -0,0 +1 @@`
				`If {% data variables.product.prodname_security_configurations %} fail to apply to some organizations in your enterprise, {% data variables.product.prodname_dotcom %} will display a banner on the UI to let you know. You can click the links on the banner to get more information about the organizations and repositories involved.`
				`@@ -0,0 +1 @@`
				`>[!WARNING] {% data variables.product.github %} may add new features to the {% data variables.product.prodname_github_security_configuration %} without warning. If you have concerns and prefer to test out features before they are turned on, we suggest you do not use the {% data variables.product.prodname_github_security_configuration %}.`
				`@@ -0,0 +1 @@`
				`>[!NOTE] Some features enabled in {% data variables.product.prodname_security_configurations %} may require Actions minutes to work. {% data variables.product.prodname_dotcom %} will let you know if that's the case when you apply the configuration to a repository. For more information about billing for {% data variables.product.prodname_actions %}, see "[AUTOTITLE](/billing/managing-billing-for-github-actions/about-billing-for-github-actions)."`