Skip to main content

Évaluation des risques liés à la sécurité de votre code

Vous pouvez utiliser la vue d'ensemble de la sécurité pour voir quelles équipes et quels référentiels sont concernés par les alertes de sécurité, et identifier les référentiels devant faire l'objet d'une action corrective urgente.

Qui peut utiliser cette fonctionnalité ?

La vue d’ensemble de la sécurité d’une organisation est disponible pour tous les membres de cette organisation. Les vues et les données affichées sont déterminées par votre rôle dans l'organisation et par vos autorisations pour les référentiels individuels au sein de l'organisation. Pour plus d’informations, consultez « À propos de la vue d’ensemble de la sécurité ».

La vue d'ensemble de la sécurité d'une entreprise présente aux propriétaires d'organisation et aux gestionnaires de sécurité les données de l’organisation auxquelles ils ont accès. Les propriétaires d’entreprise peuvent uniquement afficher les données pour les organisations où ils sont ajoutés en tant que propriétaire d’organisation ou gestionnaire de sécurité. Pour plus d’informations, consultez « Gestion de votre rôle dans une organisation appartenant à votre entreprise ».

Toutes les entreprises et leurs organisations ont une vue d’ensemble de la sécurité. Si vous utilisez des caractéristiques GitHub Advanced Security vous verrez des informations supplémentaires. Pour plus d’informations, consultez « À propos de GitHub Advanced Security ».

Exploring the security risks in your code

You can use the different views on your Security tab to explore the security risks in your code.

  • Overview: use to explore trends in Detection, Remediation, and Prevention of security alerts.
  • Risk: use to explore the current state of repositories, across all alert types.
  • Alerts views: use to explore code scanning, Dependabot, or secret scanning alerts in greater detail.

These views provide you with the data and filters to:

  • Assess the landscape of your code security across all your repositories.
  • Identify the highest impact vulnerabilities to address.
  • Monitor your progress in remediating potential vulnerabilities.

Viewing organization-level code security risks

The information shown by security overview varies according to your access to repositories and organizations, and according to whether GitHub Advanced Security is used by those repositories and organizations. For more information, see "About security overview."

  1. On GitHub, navigate to the main page of the organization.

  2. Under your organization name, click Security.

    Screenshot of the horizontal navigation bar for an organization. A tab, labeled with a shield icon and "Security," is outlined in dark orange.

  3. To display the "Security risk" view, in the sidebar, click Risk.

  4. Use options in the page summary to filter results to show the repositories you want to assess. The list of repositories and metrics displayed on the page automatically update to match your current selection. For more information on filtering, see "Filtering alerts in security overview."

    • Use the Teams dropdown to show information only for the repositories owned by one or more teams.
    • Click NUMBER affected or NUMBER unaffected in the header for any feature to show only the repositories with open alerts or no open alerts of that type.
    • Click any of the descriptions of "Open alerts" in the header to show only repositories with alerts of that type and category. For example, 1 critical to show the repository with a critical alert for Dependabot.
    • At the top of the list of repositories, click NUMBER Archived to show only repositories that are archived.
    • Click in the search box to add further filters to the repositories displayed.

    Screenshot of the "Security risk" view for an organization. The options for filtering are outlined in dark orange.

    Note

    The set of unaffected repositories includes all repositories without open alerts and also any repositories where the security feature is not enabled.

  5. Optionally, use the sidebar on the left to explore alerts for a specific security feature in greater detail. On each page, you can use filters that are specific to that feature to refine your search. For more information about the available qualifiers, see "Filtering alerts in security overview."

Note

The summary views ("Coverage" and "Risk") show data only for high confidence alerts. Code scanning alerts from third-party tools, and secret scanning alerts for ignored directories and non-provider alerts are all omitted from these views. Consequently, the individual alert views may include a larger number of open and closed alerts.

Viewing enterprise-level code security risks

You can view data for security alerts across organizations in an enterprise. The information shown by security overview varies according to your access to repositories and organizations, and according to whether GitHub Advanced Security is used by those repositories and organizations. For more information, see "About security overview."

Tip

You can use the owner filter in the search field to filter the data by organization. For more information, see "Filtering alerts in security overview."

  1. Navigate to GitHub Enterprise Cloud.

  2. In the top-right corner of GitHub, click your profile photo, then click Your enterprises.

  3. In the list of enterprises, click the enterprise you want to view.

  4. On the left side of the page, in the enterprise account sidebar, click Code Security.

  5. To display the "Security risk" view, in the sidebar, click Risk.

  6. Use options in the page summary to filter results to show the repositories you want to assess. The list of repositories and metrics displayed on the page automatically update to match your current selection. For more information on filtering, see "Filtering alerts in security overview."

    • Use the Teams dropdown to show information only for the repositories owned by one or more teams.
    • Click NUMBER affected or NUMBER unaffected in the header for any feature to show only the repositories with open alerts or no open alerts of that type.
    • Click any of the descriptions of "Open alerts" in the header to show only repositories with alerts of that type and category. For example, 1 critical to show the repository with a critical alert for Dependabot.
    • At the top of the list of repositories, click NUMBER Archived to show only repositories that are archived.
    • Click in the search box to add further filters to the repositories displayed.

    Screenshot of the "Security risk" view for an enterprise. The options for filtering are outlined in dark orange.

    Note

    The set of unaffected repositories includes all repositories without open alerts and also any repositories where the security feature is not enabled.

  7. Optionally, use the sidebar on the left to explore alerts for a specific security feature in greater detail. On each page, you can use filters that are specific to that feature to refine your search. For more information about the available qualifiers, see "Filtering alerts in security overview."

Note

The summary views ("Coverage" and "Risk") show data only for high confidence alerts. Code scanning alerts from third-party tools, and secret scanning alerts for ignored directories and non-provider alerts are all omitted from these views. Consequently, the individual alert views may include a larger number of open and closed alerts.