Skip to main content

Managing security and analysis settings for your organization

You can control features that secure and analyze the code in your organization's projects on GitHub.

Organization owners can manage security and analysis settings for repositories in the organization.

About management of security and analysis settings

GitHub can help secure the repositories in your organization. You can manage the security and analysis features for all existing or new repositories that members create in your organization. If you have a license for GitHub Advanced Security then you can also manage access to these features. 更多信息请参阅“关于 GitHub Advanced Security”。

:您不能对公共仓库禁用默认启用的一些安全和分析功能。

如果启用安全和分析功能, GitHub 将对您的仓库进行只读分析。 更多信息请参阅“关于 GitHub 对数据的使用”。

Displaying the security and analysis settings

  1. 在 GitHub.com 的右上角,单击您的头像,然后单击 Your organizations(您的组织)个人资料菜单中的组织

  2. 在组织旁边,单击 Settings(设置)设置按钮

  3. 在边栏的“Security(安全性)”部分中,单击 Code security and analysis(代码安全性和分析)

The page that's displayed allows you to enable or disable all security and analysis features for the repositories in your organization.

If your organization belongs to an enterprise with a license for GitHub Advanced Security, the page will also contain options to enable and disable Advanced Security features. Any repositories that use GitHub Advanced Security are listed at the bottom of the page.

Enabling or disabling a feature for all existing repositories

You can enable or disable features for all repositories. The impact of your changes on repositories in your organization is determined by their visibility:

  • Dependency graph - Your changes affect only private repositories because the feature is always enabled for public repositories.
  • Dependabot 警报 - Your changes affect all repositories.
  • Dependabot 安全更新 - Your changes affect all repositories.
  • GitHub Advanced Security - Your changes affect only private repositories because GitHub Advanced Security and the related features are always enabled for public repositories.
  • 秘密扫描 - Your changes affect repositories where GitHub Advanced Security is also enabled. This option controls whether or not > - 秘密扫描,用于高级安全 is enabled. 秘密扫描合作伙伴模式 always runs on all public repositories.
**注意:**如果启用

GitHub Advanced Security,这些仓库的提交者将使用您的 GitHub Advanced Security 许可上的席位。 如果您已超出许可证容量,此选项将被禁用。 更多信息请参阅“关于 GitHub Advanced Security 的计费”。

  1. Go to the security and analysis settings for your organization. For more information, see "Displaying the security and analysis settings."

  2. Under "Code security and analysis", to the right of the feature, click Disable all or Enable all. The control for "GitHub Advanced Security" is disabled if you have no available seats in your GitHub Advanced Security license.

    "Enable all" or "Disable all" button for "Configure security and analysis" features

  3. Optionally, enable the feature by default for new repositories in your organization.

    "Enable by default" option for new repositories

  4. Click Disable FEATURE or Enable FEATURE to disable or enable the feature for all the repositories in your organization.

    Button to disable or enable feature

当您为现有仓库启用一个或多个安全和分析功能时,您将在几分钟内看到 GitHub 上显示的任何结果:

  • 所有现有仓库将具有选定的配置。
  • 如果启用了新仓库的复选框,则新仓库将遵循所选配置。
  • 我们使用权限扫描清单文件以应用相关服务。
  • 如果启用,您将在依赖关系图中看到依赖项信息。
  • If enabled, GitHub will generate Dependabot 警报 for vulnerable dependencies or malware.
  • 如果启用,Dependabot 安全更新将在触发 Dependabot 警报 时创建请求以升级有漏洞的依赖项。

Enabling or disabling a feature automatically when new repositories are added

  1. Go to the security and analysis settings for your organization. For more information, see "Displaying the security and analysis settings."

  2. Under "Code security and analysis", to the right of the feature, enable or disable the feature by default for new repositories, or all new private repositories, in your organization.

    Screenshot of a checkbox for enabling a feature for new repositories

Allowing Dependabot to access private dependencies

Dependabot can check for outdated dependency references in a project and automatically generate a pull request to update them. To do this, Dependabot must have access to all of the targeted dependency files. Typically, version updates will fail if one or more dependencies are inaccessible. For more information, see "About Dependabot version updates."

By default, Dependabot can't update dependencies that are located in private repositories or private package registries. However, if a dependency is in a private GitHub repository within the same organization as the project that uses that dependency, you can allow Dependabot to update the version successfully by giving it access to the host repository.

If your code depends on packages in a private registry, you can allow Dependabot to update the versions of these dependencies by configuring this at the repository level. You do this by adding authentication details to the dependabot.yml file for the repository. For more information, see "Configuration options for the dependabot.yml file."

To allow Dependabot to access a private GitHub repository:

  1. Go to the security and analysis settings for your organization. For more information, see "Displaying the security and analysis settings."

  2. Under "Dependabot private repository access", click Add private repositories or Add internal and private repositories. Add repositories button

  3. Start typing the name of the repository you want to allow. Repository search field with filtered dropdown

  4. Click the repository you want to allow.

  5. Optionally, to remove a repository from the list, to the right of the repository, click . "X" button to remove a repository

Removing access to GitHub Advanced Security from individual repositories in an organization

You can manage access to GitHub Advanced Security features for a repository from its "Settings" tab. For more information, see "Managing security and analysis settings for your repository." However, you can also disable GitHub Advanced Security features for a repository from the "Settings" tab for the organization.

  1. Go to the security and analysis settings for your organization. For more information, see "Displaying the security and analysis settings."
  2. To see a list of all the repositories in your organization with GitHub Advanced Security enabled, scroll to the "GitHub Advanced Security repositories" section. GitHub Advanced Security repositories section The table lists the number of unique committers for each repository. This is the number of seats you could free up on your license by removing access to GitHub Advanced Security. For more information, see "About billing for GitHub Advanced Security."
  3. To remove access to GitHub Advanced Security from a repository and free up seats used by any committers that are unique to the repository, click the adjacent .
  4. In the confirmation dialog, click Remove repository to remove access to the features of GitHub Advanced Security.

Note: If you remove access to GitHub Advanced Security for a repository, you should communicate with the affected development team so that they know that the change was intended. This ensures that they don't waste time debugging failed runs of code scanning.

Further reading