Managing security and analysis settings for your organization

You can control features that secure and analyze the code in your organization's projects on GitHub.

Organization owners can manage security and analysis settings for repositories in the organization.

In this article

About management of security and analysis settings

GitHub can help secure the repositories in your organization. You can manage the security and analysis features for all existing or new repositories that members create in your organization. If you have a license for GitHub Advanced Security then you can also manage access to these features. For more information, see "About GitHub Advanced Security."

Note: You can't disable some security and analysis features that are enabled by default for public repositories.

If you enable security and analysis features, GitHub performs read-only analysis on your repository. For more information, see "About GitHub's use of your data."

Displaying the security and analysis settings

  1. In the top right corner of GitHub, click your profile photo, then click Your profile.
    Profile photo
  2. On the left side of your profile page, under "Organizations", click the icon for your organization.
    organization icons
  3. Under your organization name, click Settings.
    Organization settings button
  4. In the left sidebar, click Security & analysis.
    "Security & analysis" tab in organization settings

The page that's displayed allows you to enable or disable all security and analysis features for the repositories in your organization.

If your organization, or the enterprise that owns it, has a license for GitHub Advanced Security, the page will also contain options to enable and disable Advanced Security features. Any repositories that use GitHub Advanced Security are listed at the bottom of the page.

Enabling or disabling a feature for all existing repositories

You can enable or disable features for all repositories. The impact of your changes on repositories in your organization is determined by their visibility:

  • Dependency graph - Your changes affect only private repositories because the feature is always enabled for public repositories.
  • Dependabot alerts - Your changes affect all repositories.
  • Dependabot security updates - Your changes affect all repositories.
  • GitHub Advanced Security - Your changes affect only private repositories because GitHub Advanced Security and the related features are always enabled for public repositories.
  • Secret scanning - Your changes affect only private repositories where GitHub Advanced Security is also enabled. Secret scanning is always enabled for public repositories.

Note: If you enable GitHub Advanced Security, committers to these repositories will use seats on your GitHub Advanced Security license. This option controls access to all Advanced Security features including dependency review, code scanning, and secret scanning.

  1. Go to the security and analysis settings for your organization. For more information, see "Displaying the security and analysis settings."

  2. Under "Configure security and analysis features", to the right of the feature, click Disable all or Enable all.

    "Enable all" or "Disable all" button for "Configure security and analysis" features

  3. Optionally, enable the feature by default for new repositories in your organization.

    "Enable by default" option for new repositories

  4. Click Disable FEATURE or Enable FEATURE to disable or enable the feature for all the repositories in your organization.

    Button to disable or enable feature

Enabling or disabling a feature automatically when new repositories are added

  1. Go to the security and analysis settings for your organization. For more information, see "Displaying the security and analysis settings."

  2. Under "Configure security and analysis features", to the right of the feature, enable or disable the feature by default for new repositories, or all new private repositories, in your organization.

    Checkbox for enabling or disabling a feature for new repositories

Note: If you enable GitHub Advanced Security, committers to these repositories will use seats on your GitHub Advanced Security license. This option controls access to all Advanced Security features including dependency review, code scanning, and secret scanning.

Allowing Dependabot to access private repositories

Note: Dependabot version updates are currently in beta and subject to change. To use the beta feature, check in a configuration file to tell Dependabot which dependencies to maintain for you. For details, see "Enabling and disabling version updates."

Dependabot can check for outdated dependency references in a project and automatically generate a pull request to update them. To do this, Dependabot must have access to all of the targeted dependency files. Typically, version updates will fail if one or more dependencies are inaccessible.

By default, Dependabot can't update dependencies that are located in private repositories. However, if a dependency is in a private GitHub repository within the same organization as the project that uses that dependency, you can allow Dependabot to update the version successfully by giving it access to the host repository. For more information, including details of limitations to private dependency support, see "About Dependabot version updates."

  1. Go to the security and analysis settings for your organization. For more information, see "Displaying the security and analysis settings."

  2. Under "Dependabot private repository access", click Add private repositories or Add internal and private repositories.

    Add repositories button

  3. Start typing the name of the repository you want to allow.

    Add repositories button

  4. Click the repository you want to allow.

  5. Optionally, to remove a repository from the list, to the right of the repository, click .

    "X" button to remove a repository

Removing access to GitHub Advanced Security from individual repositories in an organization

You can manage the use of GitHub Advanced Security for a repository using the "Security & analysis" page, on the "Settings" tab. You can also disable the use of GitHub Advanced Security for any repository in an organization from the "Security & analysis" page of the organization.

  1. Go to the security and analysis settings for your organization. For more information, see "Displaying the security and analysis settings."
  2. To see a list of all the repositories in your organization with GitHub Advanced Security enabled, scroll to the "GitHub Advanced Security repositories" section.
    GitHub Advanced Security repositories section
    The table lists the number of unique committers for each repository. This is the number of seats you could free up on your license by removing access to GitHub Advanced Security.
  3. To remove access to GitHub Advanced Security from a repository, click the adjacent .
  4. In the confirmation dialog, click Remove repository to remove access to the features of GitHub Advanced Security.

Note: If you remove access to GitHub Advanced Security for a repository, you should communicate with the affected development team so that they know that the change was intended. Otherwise they may assume that the change was a mistake and re-enable access.

Further reading

Did this doc help you?

Privacy policy

Help us make these docs great!

All GitHub docs are open source. See something that's wrong or unclear? Submit a pull request.

Make a contribution

Or, learn how to contribute.