Enforcing policies for code security and analysis for your enterprise

In this article

You can enforce policies to manage the use of code security and analysis features within your enterprise's organizations.

Who can use this feature

Enterprise owners can enforce code security and analysis policies for GitHub Advanced Security in an enterprise.

GitHub Advanced Security is available for enterprise accounts on GitHub Enterprise Cloud and GitHub Enterprise Server. Some features of GitHub Advanced Security are also available for public repositories on GitHub.com. For more information, see "GitHub’s plans."

For information about GitHub Advanced Security for Azure DevOps, see Configure GitHub Advanced Security for Azure DevOps in Microsoft Learn.

About policies for code security and analysis in your enterprise

You can enforce policies to manage the use of code security and analysis features within organizations owned by your enterprise. You can allow or disallow people with admin access to a repository to enable or disable the security and analysis features.

Additionally, you can enforce policies for the use of GitHub Advanced Security in your enterprise's organizations and repositories.

Enforcing a policy for visibility of dependency insights

Dependency insights show all packages that repositories within your enterprise's organizations depend on. Dependency insights include aggregated information about security advisories and licenses. For more information, see "Viewing insights for your organization."

Across all organizations owned by your enterprise, you can control whether organization members can view dependency insights. You can also allow owners to administer the setting on the organization level. For more information, see "Changing the visibility of your organization's dependency insights."

  1. In the top-right corner of GitHub.com, click your profile photo, then click Your enterprises.

  2. In the list of enterprises, click the enterprise you want to view.

  3. In the enterprise account sidebar, click Policies.

  4. Under " Policies", click Code security and analysis.

  5. Under "Dependency insights", review the information about changing the setting.

  6. Optionally, to view the current configuration for all organizations in the enterprise account before you change the setting, click View your organizations' current configurations.

    Screenshot of a policy in the enterprise settings. A link, labeled "View your organizations' current configurations", is highlighted with an orange outline.

  7. Under "Dependency insights", select the the dropdown menu and click a policy.

Enforcing a policy to manage the use of Dependabot alerts in your enterprise

Across all organizations owned by your enterprise, you can allow members with admin permissions for repositories to enable or disable Dependabot alerts and change Dependabot alerts settings.

Note: This policy only impacts repository administrators, specifically. Organization owners and security managers can always enable security features, regardless of how you set this policy. For more information, see "Roles in an organization."

  1. In the top-right corner of GitHub.com, click your profile photo, then click Your enterprises.

  2. In the list of enterprises, click the enterprise you want to view.

  3. In the enterprise account sidebar, click Policies.

  4. Under "Policies", click Code security and analysis.

  5. Under "Enable or disable Dependabot alerts by repository admins", use the dropdown menu to choose a policy.

Enforcing a policy for the use of GitHub Advanced Security in your enterprise's organizations

GitHub bills for Advanced Security on a per-committer basis. For more information, see "Managing billing for GitHub Advanced Security."

You can enforce a policy that controls whether repository administrators are allowed to enable features for Advanced Security in an organization's repositories. You can configure a policy for all organizations owned by your enterprise account, or for individual organizations that you choose.

Disallowing Advanced Security for an organization prevents repository administrators from enabling Advanced Security features for additional repositories, but does not disable the features for repositories where the features are already enabled. For more information about configuration of Advanced Security features, see "Managing security and analysis settings for your organization" or "Managing security and analysis settings for your repository."

Note: This policy only impacts repository administrators, specifically. Organization owners and security managers can always enable security features, regardless of how you set this policy. For more information, see "Roles in an organization."

  1. In the top-right corner of GitHub.com, click your profile photo, then click Your enterprises.

  2. In the list of enterprises, click the enterprise you want to view.

  3. In the enterprise account sidebar, click Policies.

  4. Under "Policies", click Code security and analysis.

  5. In the "GitHub Advanced Security policies" section, under "GitHub Advanced Security availability", select the dropdown menu and click a policy for the organizations owned by your enterprise.

  6. Under "GitHub Advanced Security availability", select the dropdown menu, then click a policy for the organizations owned by your enterprise.

  7. Optionally, if you chose Allow for selected organizations, to the right of an organization, select the dropdown menu to enable Advanced Security for the organization.

    Screenshot of the Advanced Security policies. The dropdown to select an Advanced Security policy for individual organization in the enterprise account is highlighted with an orange outline.

Enforcing a policy to manage the use of GitHub Advanced Security features in your enterprise's repositories

Across all of your enterprise's organizations, you can allow or disallow people with admin access to repositories to manage the use of GitHub Advanced Security features in the repositories. GitHub Advanced Security features must be available to the organization for this policy to take effect. For more information, see "Enforcing a policy for the use of GitHub Advanced Security in your enterprise's organizations."

  1. In the top-right corner of GitHub.com, click your profile photo, then click Your enterprises.

  2. In the list of enterprises, click the enterprise you want to view.

  3. In the enterprise account sidebar, click Policies.

  4. Under "Policies", click Code security and analysis.

  5. In the "GitHub Advanced Security policies" section, under "Enable or disable GitHub Advanced Security by repository admins", select the dropdown menu and click a policy.

Enforcing a policy to manage the use of secret scanning in your enterprise's repositories

Across all of your enterprise's organizations, you can allow or disallow people with admin access to repositories to manage and configure secret scanning for the repositories. GitHub Advanced Security features must be available to the organization for this policy to take effect. For more information, see "Enforcing a policy for the use of GitHub Advanced Security in your enterprise's organizations."

Note: This policy only impacts repository administrators, specifically. Organization owners and security managers can always enable security features, regardless of how you set this policy. For more information, see "Roles in an organization."

  1. In the top-right corner of GitHub.com, click your profile photo, then click Your enterprises.

  2. In the list of enterprises, click the enterprise you want to view.

  3. In the enterprise account sidebar, click Policies.

  4. Under "Policies", click Code security and analysis.

  5. In the "GitHub Advanced Security policies" section, under "Enable or disable secret scanning by repository admins", select the dropdown menu and click a policy.