docs/content/admin/managing-code-security/securing-your-enterprise/creating-a-custom-security-configuration-for-your-enterprise.md

title, shortTitle, intro, permissions, versions, topics

title	shortTitle	intro	permissions	versions	topics
Creating a custom security configuration for your enterprise	Create custom configuration	Build a {% data variables.product.prodname_custom_security_configuration %} to meet the specific security needs of your enterprise.	{% data reusables.permissions.security-configuration-enterprise-enable %}	feature security-configuration-enterprise-level	Advanced Security Enterprise Security

About {% data variables.product.prodname_custom_security_configurations %}

{% ifversion security-configurations-cloud %}

We recommend securing your enterprise with the {% data variables.product.prodname_github_security_configuration %}, then evaluating the security findings on your repositories before configuring {% data variables.product.prodname_custom_security_configurations %}. For more information, see AUTOTITLE.

{% endif %}

With {% data variables.product.prodname_custom_security_configurations %}, you can create collections of enablement settings for {% data variables.product.company_short %}'s security products to meet the specific security needs of your enterprise. For example, you can create a different {% data variables.product.prodname_custom_security_configuration %} for each organization or group of organizations to reflect their unique security requirements and compliance obligations.

{% ifversion ghas-products %}

You can also choose whether or not you want to include {% data variables.product.prodname_GH_code_security %} or {% data variables.product.prodname_GH_secret_protection %} features in a configuration.

If you do, keep in mind that these features incur usage costs (or require {% data variables.product.prodname_GHAS %} licenses) when applied to private and internal repositories. For more information, see AUTOTITLE.

{% endif %}

{% ifversion security-configurations-ghes-only %}

When creating a security configuration, keep in mind that:

• Only features installed by a site administrator on your {% data variables.product.prodname_ghe_server %} instance will appear in the UI.
• {% data variables.product.prodname_GHAS %} features will only be visible if your enterprise or {% data variables.product.prodname_ghe_server %} instance holds a {% data variables.product.prodname_GHAS %}{% ifversion ghas-products %}, {% data variables.product.prodname_GH_code_security %}, or {% data variables.product.prodname_GH_secret_protection %}{% endif %} license.
• Certain features, like {% data variables.product.prodname_dependabot_security_updates %} and {% data variables.product.prodname_code_scanning %} default setup, also require that {% data variables.product.prodname_actions %} is installed on the {% data variables.product.prodname_ghe_server %} instance.

{% endif %}

{% ifversion ghas-products %}

{% data reusables.advanced-security.bundled-vs-unbundled-ui %} See Creating a {% data variables.product.prodname_GHAS %} configuration or Creating a {% data variables.product.prodname_cs_and_sp %} configuration.

Creating a {% data variables.product.prodname_cs_and_sp %} configuration

{% data reusables.enterprise-accounts.access-enterprise %} {% data reusables.enterprise-accounts.settings-tab %} {% data reusables.enterprise-accounts.advanced-security-tab %}

1. In the "{% data variables.product.prodname_security_configurations_caps %}" section, click New configuration.

2. To help identify your {% data variables.product.prodname_custom_security_configuration %} and clarify its purpose on the "{% data variables.product.prodname_security_configurations_caps %}" page, name your configuration and create a description.

3. Optionally, enable "{% data variables.product.prodname_secret_protection %}", a paid feature for private {% ifversion ghec %}and internal {% endif %} repositories. Enabling {% data variables.product.prodname_secret_protection %} enables alerts for {% data variables.product.prodname_secret_scanning %}. In addition, you can choose whether to enable, disable, or keep the existing settings for the following {% data variables.product.prodname_secret_scanning %} features: {% ifversion secret-scanning-validity-check-partner-patterns %}

   • Validity checks. To learn more about validity checks for partner patterns, see AUTOTITLE.{% endif %}{% ifversion org-npp-enablement-security-configurations %}
   • Non-provider patterns. To learn more about scanning for non-provider patterns, see AUTOTITLE and AUTOTITLE.{% endif %}{% ifversion secret-scanning-ai-generic-secret-detection %}
   • Scan for generic passwords. To learn more, see AUTOTITLE.{% endif %}
   • Push protection. To learn about push protection, see AUTOTITLE.{% ifversion security-delegated-alert-dismissal %}
   • Prevent direct alert dismissals. To learn more, see AUTOTITLE.{% endif %}

4. Optionally, enable "{% data variables.product.prodname_code_security %}", a paid feature for private {% ifversion ghec %}and internal {% endif %} repositories. You can choose whether to enable, disable, or keep the existing settings for the following {% data variables.product.prodname_code_scanning %} features:

   • Default setup. To learn more about default setup, see AUTOTITLE. {% data reusables.code-scanning.enable-default-setup-allow-advanced-setup-note %}{% ifversion code-scanning-default-setup-customize-labels %}
   • Runner type. If you want to target specific runners for {% data variables.product.prodname_code_scanning %}, you can choose to use custom-labeled runners at this step. See AUTOTITLE.{% endif %} {% ifversion security-delegated-alert-dismissal %}
   • Prevent direct alert dismissals. To learn more, see AUTOTITLE.{% endif %}

5. Still under "{% data variables.product.prodname_code_security %}", in the "Dependency scanning" table, choose whether you want to enable, disable, or keep the existing settings for the following dependency scanning features:

   • Dependency graph. To learn about dependency graph, see AUTOTITLE.

     Tip

     When both "{% data variables.product.prodname_code_security %}" and Dependency graph are enabled, this enables dependency review, see AUTOTITLE.{%- ifversion maven-transitive-dependencies %}

   • Automatic dependency submission. To learn about automatic dependency submission, see AUTOTITLE.{%- endif %}
   • {% data variables.product.prodname_dependabot %} alerts. To learn about {% data variables.product.prodname_dependabot %}, see AUTOTITLE.
   • Security updates. To learn about security updates, see AUTOTITLE.{% ifversion dependabot-delegated-alert-dismissal %}
   • Prevent direct alert dismissals. To learn more, see AUTOTITLE.{% endif %}{% ifversion fpt or ghec %}

6. For "Private vulnerability reporting", choose whether you want to enable, disable, or keep the existing settings. To learn about private vulnerability reporting, see AUTOTITLE.{% endif %}

7. Optionally, in the "Policy" section, you can use additional options to control how the configuration is applied:

   • Use as default for newly created repositories. Select the None {% octicon "triangle-down" aria-hidden="true" aria-label="triangle-down" %} dropdown menu, then click Public, Private and internal, or All repositories. {% data reusables.security-configurations.default-configuration-exception-repo-transfers %}
   • Enforce configuration. Block repository owners from changing features that are enabled or disabled by the configuration (features that are not set aren't enforced). Select Enforce from the dropdown menu.

8. To finish creating your {% data variables.product.prodname_custom_security_configuration %}, click Save configuration.

{% data reusables.code-scanning.custom-security-configuration-enforcement-edge-cases-enterprise %}

Creating a {% data variables.product.prodname_GHAS %} configuration

{% data reusables.enterprise-accounts.access-enterprise %} {% data reusables.enterprise-accounts.settings-tab %} {% data reusables.enterprise-accounts.advanced-security-tab %}

1. In the top section, click New configuration.

2. To help identify your {% data variables.product.prodname_custom_security_configuration %} and clarify its purpose on the "New configuration" page, name your configuration and create a description.

3. In the "{% data variables.product.prodname_GHAS %} features" row, choose whether to include or exclude {% data variables.product.prodname_GHAS %} (GHAS) features.

4. In the "{% data variables.product.prodname_secret_scanning_caps %}" table, choose whether you want to enable, disable, or keep the existing settings for the following security features:{% ifversion ghes > 3.16 %}

   • Alerts. To learn about {% data variables.secret-scanning.alerts %}, see AUTOTITLE.{% endif %} {% ifversion secret-scanning-validity-check-partner-patterns %}
   • Validity checks. To learn more about validity checks for partner patterns, see AUTOTITLE.{% endif %}{% ifversion org-npp-enablement-security-configurations %}
   • Non-provider patterns. To learn more about scanning for non-provider patterns, see AUTOTITLE and AUTOTITLE.{% endif %}{% ifversion secret-scanning-ai-generic-secret-detection %}
   • Scan for generic passwords. To learn more, see AUTOTITLE.{% endif %}
   • Push protection. To learn about push protection, see AUTOTITLE.{% ifversion security-delegated-alert-dismissal %}
   • Prevent direct alert dismissals. To learn more, see AUTOTITLE.{% endif %}

5. In the "{% data variables.product.prodname_code_scanning_caps %}" table, choose whether you want to enable, disable, or keep the existing settings for {% data variables.product.prodname_code_scanning %} default setup.

   • Default setup. To learn more, see AUTOTITLE. {% data reusables.code-scanning.enable-default-setup-allow-advanced-setup-note %}{% ifversion code-scanning-default-setup-customize-labels %}
   • Runner type. If you want to target specific runners for {% data variables.product.prodname_code_scanning %}, you can choose to use custom-labeled runners at this step. See AUTOTITLE.{% endif %} {% ifversion security-delegated-alert-dismissal %}
   • Prevent direct alert dismissals. To learn more, see AUTOTITLE.{% endif %}

6. In the "Dependency scanning" table, choose whether you want to enable, disable, or keep the existing settings for the following dependency scanning features:

   • Dependency graph. To learn about dependency graph, see AUTOTITLE.

     Tip

     When both "{% data variables.product.prodname_GHAS %}" and Dependency graph are enabled, this enables dependency review, see AUTOTITLE.{%- ifversion maven-transitive-dependencies %}

   • Automatic dependency submission. To learn about automatic dependency submission, see AUTOTITLE.{%- endif %}
   • {% data variables.product.prodname_dependabot %} alerts. To learn about {% data variables.product.prodname_dependabot %}, see AUTOTITLE.
   • Security updates. To learn about security updates, see AUTOTITLE.{% ifversion dependabot-delegated-alert-dismissal %}
   • Prevent direct alert dismissals. To learn more, see AUTOTITLE.{% endif %}{% ifversion fpt or ghec %}

7. For "Private vulnerability reporting", choose whether you want to enable, disable, or keep the existing settings. To learn about private vulnerability reporting, see AUTOTITLE.{% endif %}

8. Optionally, in the "Policy" section, you can use additional options to control how the configuration is applied:

   • Use as default for newly created repositories. Select the None {% octicon "triangle-down" aria-hidden="true" aria-label="triangle-down" %} dropdown menu, then click Public, Private and internal, or All repositories. {% data reusables.security-configurations.default-configuration-exception-repo-transfers %}
   • Enforce configuration. Block repository owners from changing features that are enabled or disabled by the configuration (features that are not set aren't enforced). Select Enforce from the dropdown menu.

9. To finish creating your {% data variables.product.prodname_custom_security_configuration %}, click Save configuration.

{% data reusables.code-scanning.custom-security-configuration-enforcement-edge-cases-enterprise %}

{% else %}

Note

The enablement status of some security features is dependent on other, higher-level security features. For example, disabling {% data variables.secret-scanning.alerts %} will also disable non-provider patterns and push protection.

{% data reusables.enterprise-accounts.access-enterprise %} {% data reusables.enterprise-accounts.settings-tab %} {% data reusables.enterprise-accounts.advanced-security-tab %}

1. In the "Configurations" section, click New configuration.

2. To help identify your {% data variables.product.prodname_custom_security_configuration %} and clarify its purpose on the "Configurations" page, name your configuration and create a description.

3. In the "prodname_GHAS features" row, choose whether to include or exclude prodname_GHAS (GHAS) features. If you plan to apply a {% data variables.product.prodname_custom_security_configuration %} with GHAS features to private repositories, you must have available GHAS licenses for each active unique committer to those repositories, or the features will not be enabled. See AUTOTITLE.

4. In the "Dependency graph and {% data variables.product.prodname_dependabot %}" section of the security settings table, choose whether you want to enable, disable, or keep the existing settings for the following security features:

   • {% data variables.product.prodname_dependabot_alerts %}. To learn about {% data variables.product.prodname_dependabot %}, see AUTOTITLE.

   [!NOTE] {% data variables.dependabot.auto_triage_rules %} are not available to set at enterprise level. If an enterprise-level security configuration is applied to a repository, it can still have {% data variables.dependabot.auto_triage_rules %} enabled, but you can't turn off these rules at the level of the enterprise.

   • Security updates. To learn about security updates, see AUTOTITLE.

   Note

   You cannot manually change the enablement setting for the dependency graph. This setting is installed and managed by a site administrator at the instance level.

5. In the "{% data variables.product.prodname_code_scanning_caps %}" section of the security settings table, choose whether you want to enable, disable, or keep the existing settings for {% data variables.product.prodname_code_scanning %} default setup. To learn about default setup, see AUTOTITLE.

6. In the "{% data variables.product.prodname_secret_scanning_caps %}" section of the security settings table, choose whether you want to enable, disable, or keep the existing settings for the following security features:

   • Alerts. To learn about {% data variables.secret-scanning.alerts %}, see AUTOTITLE.{% ifversion org-npp-enablement-security-configurations %}
   • Non-provider patterns. To learn more about scanning for non-provider patterns, see AUTOTITLE and AUTOTITLE.{% endif %}
   • Push protection. To learn about push protection, see AUTOTITLE.

7. Optionally, in the "Policy" section, you can choose to automatically apply the {% data variables.product.prodname_security_configuration %} to newly created repositories depending on their visibility. Select the None {% octicon "triangle-down" aria-hidden="true" aria-label="triangle-down" %} dropdown menu, then click Public, or Private and internal, or All repositories.

8. Optionally, in the "Policy" section, you can enforce the configuration and block repository owners from changing features that are enabled or disabled by the configuration (features that are not set aren't enforced). Next to "Enforce configuration", select Enforce from the dropdown menu.

   {% data reusables.code-scanning.custom-security-configuration-enforcement-edge-cases-enterprise %}

9. To finish creating your {% data variables.product.prodname_custom_security_configuration %}, click Save configuration.

{% endif %}

Next steps

To optionally configure additional {% data variables.product.prodname_secret_scanning %} settings for the enterprise, see AUTOTITLE.

To apply your {% data variables.product.prodname_custom_security_configuration %} to repositories in your organization, see AUTOTITLE.

{% data reusables.security-configurations.edit-configuration-next-step %}