12 KiB
title, intro, permissions, redirect_from, versions, type, topics, shortTitle
| title | intro | permissions | redirect_from | versions | type | topics | shortTitle | ||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Securing your repository | You can use a number of {% data variables.product.prodname_dotcom %} features to help keep your repository secure. | Repository administrators and organization owners can configure repository security settings. |
|
|
how_to |
|
Secure your repository |
Introduction
This guide shows you how to configure security features for a repository. You must be a repository administrator or organization owner to configure security settings for a repository.
Your security needs are unique to your repository, so you may not need to enable every feature for your repository. For more information, see "{% data variables.product.prodname_dotcom %} security features."
{% data reusables.advanced-security.security-feature-availability %}
Managing access to your repository
The first step to securing a repository is to set up who can see and modify your code. For more information, see "Managing repository settings."
From the main page of your repository, click {% octicon "gear" aria-label="The Settings gear" %}Settings, then scroll down to the "Danger Zone."
- To change who can view your repository, click Change visibility. For more information, see "Setting repository visibility."{% ifversion fpt or ghec or ghes > 3.3 or ghae-issue-5974 %}
- To change who can access your repository and adjust permissions, click Manage access. For more information, see"Managing teams and people with access to your repository."{% endif %}
Setting a security policy
- From the main page of your repository, click {% octicon "shield" aria-label="The shield symbol" %} Security.
- Click Security policy.
- Click Start setup.
- Add information about supported versions of your project and how to report vulnerabilities.
For more information, see "Adding a security policy to your repository."
{% ifversion fpt or ghes or ghae or ghec %}
Managing the dependency graph
{% ifversion fpt or ghec %} The dependency graph is automatically generated for all public repositories, and you can choose to enable it for private repositories. It interprets manifest and lock files in a repository to identify dependencies.
- From the main page of your repository, click {% octicon "gear" aria-label="The Settings gear" %} Settings.
- Click Security & analysis.
- Next to Dependency graph, click Enable or Disable. {% endif %}
{% data reusables.dependabot.dependabot-alerts-dependency-graph-enterprise %}
For more information, see "Exploring the dependencies of a repository."
{% endif %}
{% ifversion fpt or ghes or ghae or ghec %}
Managing {% data variables.product.prodname_dependabot_alerts %}
{% data variables.product.prodname_dependabot_alerts %} are generated when {% data variables.product.prodname_dotcom %} identifies a dependency in the dependency graph with a vulnerability. {% ifversion fpt or ghec %}You can enable {% data variables.product.prodname_dependabot_alerts %} for any repository.{% endif %}
{% ifversion fpt or ghec %}
- Click your profile photo, then click Settings.
- Click Security & analysis.
- Click Enable all next to {% data variables.product.prodname_dependabot_alerts %}. {% endif %}
{% data reusables.dependabot.dependabot-alerts-beta %} {% data reusables.dependabot.dependabot-alerts-dependency-graph-enterprise %}
For more information, see "About {% data variables.product.prodname_dependabot_alerts %}{% ifversion fpt or ghec %}" and "Managing security and analysis settings for your personal account{% endif %}."
{% endif %}
{% ifversion fpt or ghes > 3.1 or ghae or ghec %}
Managing dependency review
Dependency review lets you visualize dependency changes in pull requests before they are merged into your repositories. For more information, see "About dependency review."
Dependency review is a {% data variables.product.prodname_GH_advanced_security %} feature. {% ifversion fpt or ghec %}Dependency review is already enabled for all public repositories. {% ifversion fpt %}Organizations that use {% data variables.product.prodname_ghe_cloud %} with {% data variables.product.prodname_advanced_security %} can additionally enable dependency review for private and internal repositories. For more information, see the {% data variables.product.prodname_ghe_cloud %} documentation. {% endif %}{% endif %}{% ifversion ghec or ghes or ghae %}To enable dependency review for a {% ifversion ghec %}private or internal {% endif %}repository, ensure that the dependency graph is enabled and enable {% data variables.product.prodname_GH_advanced_security %}.
- From the main page of your repository, click {% octicon "gear" aria-label="The Settings gear" %}Settings.
- Click Security & analysis.
- {% ifversion ghec %}If dependency graph is not already enabled, click Enable.{% elsif ghes or ghae %}Check that dependency graph is configured for your enterprise.{% endif %}
- If {% data variables.product.prodname_GH_advanced_security %} is not already enabled, click Enable.
{% endif %}
{% endif %}
{% ifversion fpt or ghec or ghes > 3.2 %}
Managing {% data variables.product.prodname_dependabot_security_updates %}
For any repository that uses {% data variables.product.prodname_dependabot_alerts %}, you can enable {% data variables.product.prodname_dependabot_security_updates %} to raise pull requests with security updates when vulnerabilities are detected.
- From the main page of your repository, click {% octicon "gear" aria-label="The Settings gear" %}Settings.
- Click Security & analysis.
- Next to {% data variables.product.prodname_dependabot_security_updates %}, click Enable.
For more information, see "About {% data variables.product.prodname_dependabot_security_updates %}" and "Configuring {% data variables.product.prodname_dependabot_security_updates %}."
Managing {% data variables.product.prodname_dependabot_version_updates %}
You can enable {% data variables.product.prodname_dependabot %} to automatically raise pull requests to keep your dependencies up-to-date. For more information, see "About {% data variables.product.prodname_dependabot_version_updates %}."
{% if dependabot-settings-update-37 %}
- From the main page of your repository, click {% octicon "gear" aria-label="The Settings gear" %} Settings.
- Click Security & analysis.
- Next to {% data variables.product.prodname_dependabot_version_updates %}, click Enable to create a basic dependabot.yml configuration file.
- Specify the dependencies to update and commit the file to the repository. For more information, see "Configuring Dependabot version updates."
{% else %} To enable {% data variables.product.prodname_dependabot_version_updates %}, you must create a dependabot.yml configuration file. For more information, see "Configuring {% data variables.product.prodname_dependabot %} version updates." {% endif %}
{% endif %}
Configuring {% data variables.product.prodname_code_scanning %}
You can set up {% data variables.product.prodname_code_scanning %} to automatically identify vulnerabilities and errors in the code stored in your repository by using a {% data variables.product.prodname_codeql_workflow %} or third-party tool. For more information, see "Setting up {% data variables.product.prodname_code_scanning %} for a repository."
{% data variables.product.prodname_code_scanning_capc %} is available {% ifversion fpt or ghec %}for all public repositories, and for private repositories owned by organizations that are part of an enterprise with a license for {% else %}for organization-owned repositories if your enterprise uses {% endif %}{% data variables.product.prodname_GH_advanced_security %}.
Configuring {% data variables.product.prodname_secret_scanning %}
{% data variables.product.prodname_secret_scanning_caps %} is {% ifversion fpt or ghec %}enabled for all public repositories and is available for private repositories owned by organizations that are part of an enterprise with a license for {% else %}available for organization-owned repositories if your enterprise uses {% endif %}{% data variables.product.prodname_GH_advanced_security %}. {% ifversion fpt %}For more information, see the {% data variables.product.prodname_ghe_cloud %} documentation.{% else %}{% data variables.product.prodname_secret_scanning_caps %} may already be enabled for your repository, depending upon your organization's settings.
- From the main page of your repository, click {% octicon "gear" aria-label="The Settings gear" %}Settings.
- Click Security & analysis.
- If {% data variables.product.prodname_GH_advanced_security %} is not already enabled, click Enable.
- Next to {% data variables.product.prodname_secret_scanning_caps %}, click Enable. {% endif %}
Next steps
You can view and manage alerts from security features to address dependencies and vulnerabilities in your code. For more information, see {% ifversion fpt or ghes or ghec %} "Viewing {% data variables.product.prodname_dependabot_alerts %} for vulnerable dependencies,"{% endif %} {% ifversion fpt or ghec or ghes > 3.2 %}"Managing pull requests for dependency updates," {% endif %}"Managing {% data variables.product.prodname_code_scanning %} for your repository," and "Managing alerts from {% data variables.product.prodname_secret_scanning %}."
{% ifversion fpt or ghec %}If you have a security vulnerability, you can create a security advisory to privately discuss and fix the vulnerability. For more information, see "About {% data variables.product.prodname_security_advisories %}" and "Creating a security advisory." {% endif %}