jprdonnelly/docs
1
0
Fork 0
mirror of synced 2025-12-19 18:10:59 -05:00
Code Issues Projects Releases Wiki Activity
Files
8b515c025ee1f7b8b081a82b4f852249b0f867f2
docs/content/code-security/securing-your-organization/meeting-your-specific-security-needs-with-custom-security-configurations/creating-a-custom-security-configuration.md

7.7 KiB
Raw Blame History

title, shortTitle, intro, permissions, versions, topics
title shortTitle intro permissions versions topics
Creating a custom security configuration Create custom configuration Build a {% data variables.product.prodname_custom_security_configuration %} to meet the specific security needs of repositories in your organization. {% data reusables.security-configurations.security-configurations-permissions %}
feature
security-configurations
Advanced Security
Organizations
Security

{% data reusables.security-configurations.security-configurations-beta-note %}

About {% data variables.product.prodname_custom_security_configurations %}

We recommend securing your organization with the {% data variables.product.prodname_github_security_configuration %}, then evaluating the security findings on your repositories before configuring {% data variables.product.prodname_custom_security_configurations %}. For more information, see "AUTOTITLE."

With {% data variables.product.prodname_custom_security_configurations %}, you can create collections of enablement settings for {% data variables.product.company_short %}'s security products to meet the specific security needs of your organization. For example, you can create a different {% data variables.product.prodname_custom_security_configuration %} for each group of repositories to reflect their different levels of visibility, risk tolerance, and impact.

Creating a {% data variables.product.prodname_custom_security_configuration %}

{% note %}

Note: The enablement status of some security features is dependent on other, higher-level security features. For example, disabling dependency graph will also disable {% data variables.product.prodname_dependabot %}, vulnerability exposure analysis, and security updates. For {% data variables.product.prodname_security_configurations %}, dependent security features are indicated with indentation and {% octicon "reply" aria-hidden="true" %}.

{% endnote %}

{% data reusables.profile.access_org %} {% data reusables.organizations.org_settings %} {% data reusables.security-configurations.view-configurations-page %}

  1. In the "Code security configurations" section, click New configuration.

  2. To help identify your {% data variables.product.prodname_custom_security_configuration %} and clarify its purpose on the "Code {% data variables.product.prodname_security_configurations %}" page, name your configuration and create a description.

  3. In the "{% data variables.product.prodname_GH_advanced_security %} features" row, choose whether to include or exclude {% data variables.product.prodname_GH_advanced_security %} (GHAS) features. If you plan to apply a {% data variables.product.prodname_custom_security_configuration %} with GHAS features to private repositories, you must have available GHAS licenses for each active unique committer to those repositories, or the features will not be enabled. To learn more about committers and GHAS licensing, see "AUTOTITLE."

  4. In the "Dependency graph" section of the security settings table, choose whether you want to enable, disable, or keep the existing settings for the following security features:

    • Dependency graph. To learn about dependency graph, see "AUTOTITLE."{%- ifversion maven-transitive-dependencies %}
    • Automatic dependency submission. To learn about automatic dependency submission, see "AUTOTITLE."{%- endif %}
    • {% data variables.product.prodname_dependabot %}. To learn about {% data variables.product.prodname_dependabot %}, see "AUTOTITLE."
    • Security updates. To learn about security updates, see "AUTOTITLE."

    {% note %}

    Note: You cannot manually change the enablement settings for vulnerable function calls. If {% data variables.product.prodname_GH_advanced_security %} features and {% data variables.product.prodname_dependabot_alerts %} are enabled, vulnerable function calls is also enabled. Otherwise, it is disabled.

    {% endnote %}

  5. In the "{% data variables.product.prodname_code_scanning_caps %}" section of the security settings table, choose whether you want to enable, disable, or keep the existing settings for {% data variables.product.prodname_code_scanning %} default setup. To learn about default setup, see "AUTOTITLE."

  6. In the "{% data variables.product.prodname_secret_scanning_caps %}" section of the security settings table, choose whether you want to enable, disable, or keep the existing settings for the following security features:

    • {% data variables.product.prodname_secret_scanning_caps %}. To learn about {% data variables.product.prodname_secret_scanning %}, see "AUTOTITLE."{% ifversion secret-scanning-validity-check-partner-patterns %}
    • Validity check. To learn more about validity checks for partner patterns, see "Checking a secret's validity".{% endif %}
    • Push protection. To learn about push protection, see "AUTOTITLE." {% ifversion fpt or ghec %}

  7. In the "Private vulnerability reporting" section of the security settings table, choose whether you want to enable, disable, or keep the existing settings for private vulnerability reporting. To learn about private vulnerability reporting, see "AUTOTITLE." {% endif %}

  8. Optionally, in the "Policy" section, you can choose to automatically apply the {% data variables.product.prodname_security_configuration %} to newly created repositories depending on their visibility. Select the None {% octicon "triangle-down" aria-hidden="true" %} dropdown menu, then click Public, or Private and internal, or both.

    {% data reusables.security-configurations.default-configuration-exception-repo-transfers %}{% ifversion enforce-security-configurations %}

  9. Optionally, in the "Policy" section, you can enforce the configuration and block repository owners from changing features that are enabled or disabled by the configuration (features that are not set aren't enforced). Next to "Enforce configuration", select Enforce from the dropdown menu.{% ifversion enforce-security-configurations-beta %} This feature is in beta, and is subject to change.{% endif %}

    Note

    {% data reusables.code-scanning.custom-security-configuration-enforcement-edge-cases %}

{% endif %}

  1. To finish creating your {% data variables.product.prodname_custom_security_configuration %}, click Save configuration.

Next steps

To apply your {% data variables.product.prodname_custom_security_configuration %} to repositories in your organization, see "AUTOTITLE."

{% data reusables.security-configurations.edit-configuration-next-step %}

Reference in New Issue View Git Blame Copy Permalink