Skip to main content

Configuring global security settings for your organization

Customize GitHub Advanced Security features and create security managers to strengthen the security of your organization.

Who can use this feature?

Organization owners, security managers, and organization members with the admin role

About global settings

Alongside security configurations, which determine repository-level security settings, you should also configure global settings for your organization. Global settings apply to your entire organization, and can customize GitHub Advanced Security features based on your needs. You can also create security managers on the global settings page to monitor and maintain your organization's security.

Accessing the global settings page for your organization

  1. In the upper-right corner of GitHub, select your profile photo, then click Your organizations.

  2. Under your organization name, click Settings. If you cannot see the "Settings" tab, select the dropdown menu, then click Settings.

    Screenshot of the tabs in an organization's profile. The "Settings" tab is outlined in dark orange.

  3. In the "Security" section of the sidebar, select the Code security dropdown menu, then click Global settings.

Configuring global Dependabot settings

Dependabot consists of three different features that help you manage your dependencies:

  • Dependabot alerts—inform you about vulnerabilities in the dependencies that you use in your repository.
  • Dependabot security updates—automatically raise pull requests to update the dependencies you use that have known security vulnerabilities.
  • Dependabot version updates—automatically raise pull requests to keep your dependencies up-to-date.

You can customize several global settings for Dependabot:

Creating and managing Dependabot auto-triage rules

You can create and manage Dependabot auto-triage rules to instruct Dependabot to automatically dismiss or snooze Dependabot alerts, and even open pull requests to attempt to resolve them. To configure Dependabot auto-triage rules, click rules" %}, then create or edit a rule:

  • You can create a new rule by clicking New rule, then entering the details for your rule and clicking Create rule.
  • You can edit an existing rule by clicking , then making the desired changes and clicking Save rule.

For more information on Dependabot auto-triage rules, see "About Dependabot auto-triage rules" and "Customizing auto-triage rules to prioritize Dependabot alerts."

Grouping Dependabot security updates

Dependabot can group all automatically suggested security updates into a single pull request to reduce noise. To enable grouped security updates, select Grouped security updates. For more information about grouped updates and customization options, see "Configuring Dependabot security updates."

Enabling dependency updates on GitHub Actions runners

If both Dependabot and GitHub Actions are enabled for existing repositories in your organization, GitHub will automatically use GitHub-hosted runners to run dependency updates for those repositories.

Otherwise, to allow Dependabot to use GitHub Actions runners to perform dependency updates for all existing repositories in the organization, select "Dependabot on Actions runners".

For more information, see "About Dependabot on GitHub Actions runners."

To have greater control over Dependabot's access to your private registries and internal network resources, you can configure Dependabot to run on GitHub Actions self-hosted runners. For more information, see "About Dependabot on GitHub Actions runners" and "Managing Dependabot on self-hosted runners."

Granting Dependabot access to private repositories

To update private dependencies of repositories in your organization, Dependabot needs access to those repositories. To grant Dependabot access to the desired private repository, scroll down to the "Grant Dependabot access to private repositories" section, then use the search bar to find and select the desired repository. Be aware that granting Dependabot access to a repository means all users in your organization will have access to the contents of that repository through Dependabot updates. For more information about the supported ecosystems for private repositories, see "Dependabot supported ecosystems and repositories."

Configuring global code scanning settings

Code scanning is a feature that you use to analyze the code in a GitHub repository to find security vulnerabilities and coding errors. Any problems identified by the analysis are shown in your repository.

You can customize several global settings for code scanning:

Recommending the extended query suite for default setup

Code scanning offers specific groups of CodeQL queries, called CodeQL query suites, to run against your code. By default, the "Default" query suite is run. GitHub also offers the "Extended" query suite, which contains all the queries in the "Default" query suite, plus additional queries with lower precision and severity. To suggest the "Extended" query suite across your organization, select Recommend the extended query suite for repositories enabling default setup. For more information on built-in query suites for CodeQL default setup, see "CodeQL query suites."

Enabling Copilot Autofix for CodeQL

You can select Copilot Autofix to enable Copilot Autofix for all the repositories in your organization that use CodeQL default setup or CodeQL advanced setup. Copilot Autofix is an expansion of code scanning that suggests fixes for code scanning alerts. For more information, see "Responsible use of Copilot Autofix for code scanning."

Enabling Copilot Autofix for third-party code scanning tools

Note

Third-party code scanning tool support is in public preview, and subject to change. Currently, the third-party tool ESLint is supported. For more information, see "Responsible use of Copilot Autofix for code scanning."

You can select Copilot Autofix for third-party tools to enable Copilot Autofix for all the repositories in your organization that use third-party tools. Copilot Autofix is an expansion of code scanning that suggests fixes for code scanning alerts.

Setting a failure threshold for code scanning checks in pull requests

You can choose the severity levels at which code scanning check runs on pull requests will fail. To choose a security severity level, select the Security: SECURITY-SEVERITY-LEVEL dropdown menu, then click a security severity level. To choose an alert severity level, select the OTHER: ALERT-SEVERITY-LEVEL dropdown menu, then click an alert severity level. For more information, see "About code scanning alerts."

Configuring global secret scanning settings

Secret scanning is a security tool that scans the entire Git history of repositories, as well as issues, pull requests, discussions, and wikis in those repositories, for leaked secrets that have been accidentally committed, such as tokens or private keys.

You can customize several global settings for secret scanning:

To provide context for developers when secret scanning blocks a commit, you can display a link with more information on why the commit was blocked. To include a link, select Add a resource link in the CLI and the web UI when a commit is blocked. In the text box, type the link to the desired resource, then click Save.

Creating security managers for your organization

The security manager role grants members of your organization the ability to manage security settings and alerts across your organization. To grant all members of a team the security manager role, in the "Search for teams" text box, type the name of the desired team. In the dropdown menu that appears, click the team, then click I understand, grant security manager permissions.

Security managers can view data for all repositories in your organization through security overview. To learn more about the security manager role, see "Managing security managers in your organization."