Skip to main content

Securing your organization

You can use a number of GitHub features to help keep your organization secure.

Who can use this feature

Organization owners can configure organization security settings.

Introduction

This guide shows you how to configure security features for an organization. Your organization's security needs are unique and you may not need to enable every security feature. For more information, see "GitHub security features."

Some features are available for repositories on all plans. Additional features are available to enterprises that use GitHub Advanced Security. GitHub Advanced Security features are also enabled for all public repositories on GitHub.com. For more information, see "About GitHub Advanced Security."

Managing access to your organization

You can use roles to control what actions people can take in your organization. For example, you can assign the security manager role to a team to give them the ability to manage security settings across your organization, as well as read access to all repositories. For more information, see "Roles in an organization."

Creating a default security policy

You can create a default security policy that will display in any of your organization's public repositories that do not have their own security policy. For more information, see "Creating a default community health file."

Managing Dependabot alerts and the dependency graph

GitHub detects vulnerabilities in public repositories and displays the dependency graph. You can enable or disable Dependabot alerts for all public repositories owned by your organization. You can enable or disable Dependabot alerts and the dependency graph for all private repositories owned by your organization.

  1. Click your profile photo, then click Organizations.
  2. Click Settings next to your organization.
  3. Click Security & analysis.
  4. Click Enable all or Disable all next to the feature that you want to manage.
  5. Optionally, select Automatically enable for new repositories.

For more information, see "About Dependabot alerts," "Exploring the dependencies of a repository," and "Managing security and analysis settings for your organization."

Managing dependency review

Dependency review is an Advanced Security feature that lets you visualize dependency changes in pull requests before they are merged into your repositories. For more information, see "About dependency review."

Dependency review is already enabled for all public repositories. For private and internal repositories that are owned by an organization, you can enable dependency review by enabling the dependency graph and enabling Advanced Security (see below).

Managing Dependabot security updates

For any repository that uses Dependabot alerts, you can enable Dependabot security updates to raise pull requests with security updates when vulnerabilities are detected. You can also enable or disable Dependabot security updates for all repositories across your organization.

  1. Click your profile photo, then click Organizations.
  2. Click Settings next to your organization.
  3. Click Security & analysis.
  4. Click Enable all or Disable all next to Dependabot security updates.
  5. Optionally, select Automatically enable for new repositories.

For more information, see "About Dependabot security updates" and "Managing security and analysis settings for your organization."

Managing Dependabot version updates

You can enable Dependabot to automatically raise pull requests to keep your dependencies up-to-date. For more information, see "About Dependabot version updates."

To enable Dependabot version updates, you must create a dependabot.yml configuration file. For more information, see "Configuring Dependabot version updates."

Managing GitHub Advanced Security

If your organization is owned by an enterprise that has an Advanced Security license, you can enable or disable Advanced Security features.

  1. Click your profile photo, then click Organizations.
  2. Click Settings next to your organization.
  3. Click Security & analysis.
  4. Click Enable all or Disable all next to GitHub Advanced Security.
  5. Optionally, select Automatically enable for new private repositories.

For more information, see "About GitHub Advanced Security" and "Managing security and analysis settings for your organization."

Configuring secret scanning

Secret scanning is available for all public repositories. Organizations that use GitHub Enterprise Cloud with Advanced Security can additionally enable secret scanning for private and internal repositories.

You can enable or disable secret scanning for all public repositories across your organization, and for all private and internal repositories that have GitHub Advanced Security enabled.

  1. Click your profile photo, then click Organizations.
  2. Click Settings next to your organization.
  3. Click Code security & analysis.
  4. Click Enable all or Disable all next to Secret scanning.
  5. In the dialog box displayed, optionally select Automatically enable for new public repositories and repositories with Advanced Security enabled.
  6. Click the enable or disable button in the dialog box to confirm the change.

For more information, see "Managing security and analysis settings for your organization."

Configuring code scanning

Code scanning is available for all public repositories. Organizations that use GitHub Enterprise Cloud with Advanced Security can additionally use code scanning for private and internal repositories.

You can enable or disable code scanning default setup for all eligible repositories that are public, and for all private and internal repositories across your organization that have GitHub Advanced Security enabled. For information about eligible repositories, see Configuring code scanning at scale using CodeQL.

For repositories that are not eligible for default setup, you can configure advanced setup at the repository level. For more information, see "Configuring code scanning for a repository."

Note: The ability to enable and disable default set up for code scanning for eligible repositories in an organization is currently in beta and subject to change. During the beta release, if you disable CodeQL code scanning for all repositories this change will not be reflected in the coverage information shown in security overview for the organization. The repositories will still appear to have code scanning enabled in this view.

  1. Click your profile photo, then click Organizations.
  2. Click Settings next to your organization.
  3. Click Code security & analysis.
  4. Click Enable all or Disable all next to Code scanning.
  5. In the "Enable code scanning for eligible repositories" or "Disable code scanning" dialog box displayed, click Enable for eligible repositories or Disable code scanning to confirm the change.

Next steps

You can view and manage alerts from security features to address dependencies and vulnerabilities in your code. For more information, see "Viewing and updating Dependabot alerts," "Managing pull requests for dependency updates," "Managing code scanning alerts for your repository," and "Managing alerts from secret scanning."

You can also monitor responses to security alerts within your organization. For more information, see "Auditing security alerts".

If you have a security vulnerability, you can create a security advisory to privately discuss and fix the vulnerability. For more information, see "About repository security advisories" and "Creating a repository security advisory."

You can view, filter, and sort security alerts for repositories owned by your organization in the security overview. For more information, see "About the security overview."

Further reading

"Accessing compliance reports for your organization"