About global settings
Alongside security configurations, which determine repository-level security settings, you should also configure global settings for your organization. Global settings apply to your entire organization, and can customize GitHub Advanced Security features based on your needs. You can also create security managers on the global settings page to monitor and maintain your organization's security.
Accessing the global settings page for your organization
-
In the upper-right corner of GitHub, select your profile photo, then click Your organizations.
-
Under your organization name, click Settings. If you cannot see the "Settings" tab, select the dropdown menu, then click Settings.
-
In the "Security" section of the sidebar, select the Code security dropdown menu, then click Global settings.
Configuring global Dependabot settings
Dependabot consists of three different features that help you manage your dependencies:
- Dependabot alerts—inform you about vulnerabilities in the dependencies that you use in your repository.
- Dependabot security updates—automatically raise pull requests to update the dependencies you use that have known security vulnerabilities.
- Dependabot version updates—automatically raise pull requests to keep your dependencies up-to-date.
You can customize several global settings for Dependabot:
- Creating and managing Dependabot auto-triage rules
- Grouping Dependabot security updates
- Enabling dependency updates on GitHub Actions runners
- Granting Dependabot access to private and internal repositories
Creating and managing Dependabot auto-triage rules
You can create and manage Dependabot auto-triage rules to instruct Dependabot to automatically dismiss or snooze Dependabot alerts, and even open pull requests to attempt to resolve them. To configure Dependabot auto-triage rules, click rules" %}, then create or edit a rule:
- You can create a new rule by clicking New rule, then entering the details for your rule and clicking Create rule.
- You can edit an existing rule by clicking , then making the desired changes and clicking Save rule.
For more information on Dependabot auto-triage rules, see "About Dependabot auto-triage rules" and "Customizing auto-triage rules to prioritize Dependabot alerts."
Grouping Dependabot security updates
Dependabot can group all automatically suggested security updates into a single pull request to reduce noise. To enable grouped security updates, select Grouped security updates. For more information about grouped updates and customization options, see "Configuring Dependabot security updates."
Enabling dependency updates on GitHub Actions runners
If both Dependabot and GitHub Actions are enabled for existing repositories in your organization, GitHub will automatically use GitHub-hosted runners to run dependency updates for those repositories.
Otherwise, to allow Dependabot to use GitHub Actions runners to perform dependency updates for all existing repositories in the organization, select "Dependabot on Actions runners".
For more information, see "About Dependabot on GitHub Actions runners."
To have greater control over Dependabot's access to your private registries and internal network resources, you can configure Dependabot to run on GitHub Actions self-hosted runners. For more information, see "About Dependabot on GitHub Actions runners" and "Managing Dependabot on self-hosted runners."
Granting Dependabot access to private and internal repositories
To update private dependencies of repositories in your organization, Dependabot needs access to those repositories. To grant Dependabot access to the desired private or internal repository, scroll down to the "Grant Dependabot access to private repositories" section, then use the search bar to find and select the desired repository. Be aware that granting Dependabot access to a repository means all users in your organization will have access to the contents of that repository through Dependabot updates. For more information about the supported ecosystems for private repositories, see "Dependabot supported ecosystems and repositories."
Configuring global code scanning settings
Code scanning is a feature that you use to analyze the code in a GitHub repository to find security vulnerabilities and coding errors. Any problems identified by the analysis are shown in your repository.
You can customize several global settings for code scanning:
- Recommending the extended query suite for default setup
- Enabling Copilot Autofix for CodeQL
- Enabling Copilot Autofix for third-party code scanning tools
- Setting a failure threshold for code scanning checks in pull requests
Recommending the extended query suite for default setup
Code scanning offers specific groups of CodeQL queries, called CodeQL query suites, to run against your code. By default, the "Default" query suite is run. GitHub also offers the "Extended" query suite, which contains all the queries in the "Default" query suite, plus additional queries with lower precision and severity. To suggest the "Extended" query suite across your organization, select Recommend the extended query suite for repositories enabling default setup. For more information on built-in query suites for CodeQL default setup, see "CodeQL query suites."
Enabling Copilot Autofix for CodeQL
You can select Copilot Autofix to enable Copilot Autofix for all the repositories in your organization that use CodeQL default setup or CodeQL advanced setup. Copilot Autofix is an expansion of code scanning that suggests fixes for code scanning alerts. For more information, see "Responsible use of Copilot Autofix for code scanning."
Enabling Copilot Autofix for third-party code scanning tools
Note
Third-party code scanning tool support is in public preview, and subject to change. Currently, the third-party tool ESLint is supported. For more information, see "Responsible use of Copilot Autofix for code scanning."
You can select Copilot Autofix for third-party tools to enable Copilot Autofix for all the repositories in your organization that use third-party tools. Copilot Autofix is an expansion of code scanning that suggests fixes for code scanning alerts.
Setting a failure threshold for code scanning checks in pull requests
You can choose the severity levels at which code scanning check runs on pull requests will fail. To choose a security severity level, select the Security: SECURITY-SEVERITY-LEVEL dropdown menu, then click a security severity level. To choose an alert severity level, select the OTHER: ALERT-SEVERITY-LEVEL dropdown menu, then click an alert severity level. For more information, see "About code scanning alerts."
Configuring global secret scanning settings
Secret scanning is a security tool that scans the entire Git history of repositories, as well as issues, pull requests, discussions, and wikis in those repositories, for leaked secrets that have been accidentally committed, such as tokens or private keys.
You can customize several global settings for secret scanning:
- Generic secret detection with Copilot secret scanning
- Adding a resource link for blocked commits
- Defining custom patterns
Generic secret detection with Copilot secret scanning
Copilot secret scanning's generic secret detection is an AI-powered expansion of secret scanning that scans and creates alerts for unstructured secrets, such as passwords. To enable these scans, select Scan for generic secrets. Be aware that generic secrets often have a higher rate of false positives than other types of alert. To learn more about generic secrets, see "Responsible detection of generic secrets with Copilot secret scanning."
Note
You do not need a subscription to GitHub Copilot to use Copilot secret scanning's generic secret detection. Copilot secret scanning features are available to private repositories in GitHub Enterprise Cloud enterprises that have GitHub Advanced Security enabled.
Adding a resource link for blocked commits
To provide context for developers when secret scanning blocks a commit, you can display a link with more information on why the commit was blocked. To include a link, select Add a resource link in the CLI and the web UI when a commit is blocked. In the text box, type the link to the desired resource, then click Save.
Defining custom patterns
You can define custom patterns for secret scanning with regular expressions. Custom patterns can identify secrets that are not detected by the default patterns supported by secret scanning. To create a custom pattern, click New pattern, then enter the details for your pattern and click Save and dry run. For more information on custom patterns, see "Defining custom patterns for secret scanning."
Creating security managers for your organization
The security manager role grants members of your organization the ability to manage security settings and alerts across your organization. To grant all members of a team the security manager role, in the "Search for teams" text box, type the name of the desired team. In the dropdown menu that appears, click the team, then click I understand, grant security manager permissions.
Security managers can view data for all repositories in your organization through security overview. To learn more about the security manager role, see "Managing security managers in your organization."