8f964ea2cb
Co-authored-by: Matt Pollard <mattpollard@users.noreply.github.com> Co-authored-by: Grace Park <gracepark@github.com> Co-authored-by: Steve Guntrip <12534592+stevecat@users.noreply.github.com> Co-authored-by: Robert Sese <sese@github.com> Co-authored-by: Peter Bengtsson <peterbe@github.com> Co-authored-by: Rachael Sewell <rachmari@github.com>
10 KiB
title, intro, permissions, redirect_from, versions, type, topics, shortTitle
| title | intro | permissions | redirect_from | versions | type | topics | shortTitle | ||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Securing your repository | You can use a number of {% data variables.product.prodname_dotcom %} features to help keep your repository secure. | Repository administrators and organization owners can configure repository security settings. |
|
|
how_to |
|
Secure your repository |
Introduction
This guide shows you how to configure security features for a repository. You must be a repository administrator or organization owner to configure security settings for a repository.
Your security needs are unique to your repository, so you may not need to enable every feature for your repository. For more information, see "{% data variables.product.prodname_dotcom %} security features."
Some security features are only available {% ifversion fpt or ghec %}for public repositories, and for private repositories owned by organizations with {% else %}if you have {% endif %}an {% data variables.product.prodname_advanced_security %} license. {% data reusables.advanced-security.more-info-ghas %}
Managing access to your repository
The first step to securing a repository is to set up who can see and modify your code. For more information, see "Managing repository settings."
From the main page of your repository, click {% octicon "gear" aria-label="The Settings gear" %}Settings, then scroll down to the "Danger Zone."
- To change who can view your repository, click Change visibility. For more information, see "Setting repository visibility."{% ifversion fpt or ghec %}
- To change who can access your repository and adjust permissions, click Manage access. For more information, see"Managing teams and people with access to your repository."{% endif %}
{% ifversion fpt or ghes > 3.0 or ghae-next or ghec %}
Setting a security policy
- From the main page of your repository, click {% octicon "shield" aria-label="The shield symbol" %} Security.
- Click Security policy.
- Click Start setup.
- Add information about supported versions of your project and how to report vulnerabilities.
For more information, see "Adding a security policy to your repository."
{% endif %}
{% ifversion fpt or ghes > 2.22 or ghae-issue-4864 or ghec %}
Managing the dependency graph
{% ifversion fpt or ghec %} Once you have enabled the dependency graph, it is automatically generated for all public repositories, and you can choose to enable it for private repositories.
- From the main page of your repository, click {% octicon "gear" aria-label="The Settings gear" %} Settings.
- Click Security & analysis.
- Next to Dependency graph, click Enable or Disable. {% endif %}
{% data reusables.dependabot.dependabot-alerts-dependency-graph-enterprise %}
For more information, see "Exploring the dependencies of a repository."
{% endif %}
{% ifversion fpt or ghes > 2.22 or ghae-issue-4864 or ghec %}
Managing {% data variables.product.prodname_dependabot_alerts %}
{% ifversion fpt or ghec %}By default, {% data variables.product.prodname_dotcom %} detects vulnerabilities in public repositories and generates {% data variables.product.prodname_dependabot_alerts %}. {% data variables.product.prodname_dependabot_alerts %} can also be enabled for private repositories.
- Click your profile photo, then click Settings.
- Click Security & analysis.
- Click Enable all next to {% data variables.product.prodname_dependabot_alerts %}. {% endif %}
{% data reusables.dependabot.dependabot-alerts-beta %} {% data reusables.dependabot.dependabot-alerts-dependency-graph-enterprise %}
For more information, see "About alerts for vulnerable dependencies{% ifversion fpt or ghec %}" and "Managing security and analysis settings for your user account{% endif %}."
{% endif %}
{% ifversion fpt or ghes > 3.1 or ghae-issue-4864 or ghec %}
Managing dependency review
Dependency review lets you visualize dependency changes in pull requests before they are merged into your repositories. {%- ifversion fpt %}Dependency review is available in all public repositories. For private and internal repositories you require a license for {% data variables.product.prodname_advanced_security %}. To enable dependency review for a repository, enable the dependency graph and enable {% data variables.product.prodname_advanced_security %}. {%- elsif ghes or ghae %}Dependency review is available when dependency graph is enabled for {% data variables.product.product_location %} and you enable {% data variables.product.prodname_advanced_security %} for the repository (see below).{% endif %} For more information, see "About dependency review."
{% endif %}
{% ifversion fpt or ghec %}
Managing {% data variables.product.prodname_dependabot_security_updates %}
For any repository that uses {% data variables.product.prodname_dependabot_alerts %}, you can enable {% data variables.product.prodname_dependabot_security_updates %} to raise pull requests with security updates when vulnerabilities are detected.
- From the main page of your repository, click {% octicon "gear" aria-label="The Settings gear" %}Settings.
- Click Security & analysis.
- Next to {% data variables.product.prodname_dependabot_security_updates %}, click Enable.
For more information, see "About {% data variables.product.prodname_dependabot_security_updates %}" and "Configuring {% data variables.product.prodname_dependabot_security_updates %}."
Managing {% data variables.product.prodname_dependabot_version_updates %}
You can enable {% data variables.product.prodname_dependabot %} to automatically raise pull requests to keep your dependencies up-to-date. For more information, see "About {% data variables.product.prodname_dependabot_version_updates %}."
To enable {% data variables.product.prodname_dependabot_version_updates %}, you must create a dependabot.yml configuration file. For more information, see "Enabling and disabling version updates."
{% endif %}
{% ifversion fpt or ghes > 2.22 or ghae or ghec %}
Configuring {% data variables.product.prodname_code_scanning %}
{% data variables.product.prodname_code_scanning_capc %} is available {% ifversion fpt or ghec %}for all public repositories, and for private repositories owned by organizations with {% else %} for organization-owned repositories if you have {% endif %}an {% data variables.product.prodname_advanced_security %} license.
You can set up {% data variables.product.prodname_code_scanning %} to automatically identify vulnerabilities and errors in the code stored in your repository by using a {% data variables.product.prodname_codeql_workflow %} or third-party tool. For more information, see "Setting up {% data variables.product.prodname_code_scanning %} for a repository."
Configuring {% data variables.product.prodname_secret_scanning %}
{% data variables.product.prodname_secret_scanning_caps %} is available {% ifversion fpt or ghec %}for all public repositories, and for private repositories owned by organizations with {% else %} for organization-owned repositories if you have {% endif %}an {% data variables.product.prodname_advanced_security %} license.
{% data variables.product.prodname_secret_scanning_caps %} may be enabled for your repository by default depending upon your organization's settings.
- From the main page of your repository, click {% octicon "gear" aria-label="The Settings gear" %}Settings.
- Click Security & analysis.
- If {% data variables.product.prodname_GH_advanced_security %} is not already enabled, click Enable.
- Next to {% data variables.product.prodname_secret_scanning_caps %}, click Enable.
{% endif %}
Next steps
You can view and manage alerts from security features to address dependencies and vulnerabilities in your code. For more information, see {% ifversion fpt or ghes > 2.22 or ghec %} "Viewing and updating vulnerable dependencies in your repository,"{% endif %} {% ifversion fpt or ghec %}"Managing pull requests for dependency updates," {% endif %}"Managing {% data variables.product.prodname_code_scanning %} for your repository," and "Managing alerts from {% data variables.product.prodname_secret_scanning %}."
{% ifversion fpt or ghec %}If you have a security vulnerability, you can create a security advisory to privately discuss and fix the vulnerability. For more information, see "About {% data variables.product.prodname_security_advisories %}" and "Creating a security advisory." {% endif %}