Skip to main content

Enterprise Server 3.15 is currently available as a release candidate.

Configuring global security settings for your organization

Customize GitHub Advanced Security features to strengthen the security of your organization.

Who can use this feature?

Organization owners, security managers, and organization members with the admin role

About global settings

Alongside security configurations, which determine repository-level security settings, you should also configure global settings for your organization. Global settings apply to your entire organization, and can customize GitHub Advanced Security features based on your needs. You can also create a team of security managers to monitor and maintain your organization's security.

Accessing the global settings page for your organization

  1. In the upper-right corner of GitHub, select your profile photo, then click Your organizations**.

  2. Under your organization name, click Settings. If you cannot see the "Settings" tab, select the dropdown menu, then click Settings.

    Screenshot of the tabs in an organization's profile. The "Settings" tab is outlined in dark orange.

  3. In the "Security" section of the sidebar, select the Code security dropdown menu, then click Global settings.

Configuring global Dependabot settings

Dependabot consists of three different features that help you manage your dependencies:

  • Dependabot alerts: Inform you about vulnerabilities in the dependencies that you use in your repository.
  • Dependabot security updates: Automatically raise pull requests to update the dependencies you use that have known security vulnerabilities.
  • Dependabot version updates: Automatically raise pull requests to keep your dependencies up-to-date.

You can customize several global settings for Dependabot:

Creating and managing Dependabot auto-triage rules

You can create and manage Dependabot auto-triage rules to instruct Dependabot to automatically dismiss or snooze Dependabot alerts, and even open pull requests to attempt to resolve them. To configure Dependabot auto-triage rules, click rules" %}, then create or edit a rule:

  • You can create a new rule by clicking New rule, then entering the details for your rule and clicking Create rule.
  • You can edit an existing rule by clicking , then making the desired changes and clicking Save rule.

For more information on Dependabot auto-triage rules, see "About Dependabot auto-triage rules" and "Customizing auto-triage rules to prioritize Dependabot alerts."

Grouping Dependabot security updates

Dependabot can group all automatically suggested security updates into a single pull request to reduce noise. To enable grouped security updates, select Grouped security updates. For more information about grouped updates and customization options, see "Configuring Dependabot security updates."

Granting Dependabot access to private and internal repositories

To update private dependencies of repositories in your organization, Dependabot needs access to those repositories. To grant Dependabot access to the desired private or internal repository, scroll down to the "Grant Dependabot access to private repositories" section, then use the search bar to find and select the desired repository. Be aware that granting Dependabot access to a repository means all users in your organization will have access to the contents of that repository through Dependabot updates. For more information about the supported ecosystems for private repositories, see "Dependabot supported ecosystems and repositories."

Configuring global code scanning settings

Code scanning is a feature that you use to analyze the code in a GitHub repository to find security vulnerabilities and coding errors. Any problems identified by the analysis are shown in your repository.

You can customize several global settings for code scanning:

Recommending the extended query suite for default setup

Code scanning offers specific groups of CodeQL queries, called CodeQL query suites, to run against your code. By default, the "Default" query suite is run. GitHub also offers the "Extended" query suite, which contains all the queries in the "Default" query suite, plus additional queries with lower precision and severity. To suggest the "Extended" query suite across your organization, select Recommend the extended query suite for repositories enabling default setup. For more information on built-in query suites for CodeQL default setup, see "CodeQL query suites."

Setting a failure threshold for code scanning checks in pull requests

You can choose the severity levels at which code scanning check runs on pull requests will fail. To choose a security severity level, select the Security: SECURITY-SEVERITY-LEVEL dropdown menu, then click a security severity level. To choose an alert severity level, select the OTHER: ALERT-SEVERITY-LEVEL dropdown menu, then click an alert severity level. For more information, see "About code scanning alerts."

Configuring global secret scanning settings

Secret scanning is a security tool that scans the entire Git history of repositories, as well as issues, pull requests, and discussions in those repositories, for leaked secrets that have been accidentally committed, such as tokens or private keys.

You can customize several global settings for secret scanning:

To provide context for developers when secret scanning blocks a commit, you can display a link with more information on why the commit was blocked. To include a link, select Add a resource link in the CLI and the web UI when a commit is blocked. In the text box, type the link to the desired resource, then click Save.

Defining custom patterns

You can define custom patterns for secret scanning with regular expressions. Custom patterns can identify secrets that are not detected by the default patterns supported by secret scanning. To create a custom pattern, click New pattern, then enter the details for your pattern and click Save and dry run. For more information on custom patterns, see "Defining custom patterns for secret scanning."

Creating security managers for your organization

The security manager role grants members of your organization the ability to manage security settings and alerts across your organization. Security managers can view data for all repositories in your organization through security overview.

To learn more about the security manager role, see "Managing security managers in your organization."

To grant all members of a team the security manager role, in the "Search for teams" text box, type the name of the desired team. In the dropdown menu that appears, click the team, then click I understand, grant security manager permissions.