Configuring global security settings for your organization

About global settings

Alongside security configurations, which determine repository-level security settings, you should also configure global settings for your organization. Global settings apply to your entire organization, and can customize Advanced Security features based on your needs.

Accessing the global settings page for your organization

GitHub の右上隅にあるプロフィール画像をクリックしてから、[ Your organizations] をクリックします。
Organization 名の下で、[ Settings] をクリックします。 [設定] タブが表示されない場合は、 [] ドロップダウンメニューを選び、 [設定] をクリックします。
In the "Security" section of the sidebar, select the Advanced Security dropdown menu, then click Global settings.

Configuring global Dependabot settings

Dependabot は、依存関係の管理に役立つ 3 つの異なる機能で構成されています。

Dependabot alerts: リポジトリで使われている依存関係の脆弱性についてユーザーに通知します。
Dependabot security updates: 使われている依存関係のうち、既知のセキュリティ脆弱性があるものを更新するための pull request を自動的に生成します。
Dependabot version updates: 依存関係を最新に保つための pull request を自動的に生成します。

You can customize several global settings for Dependabot:

Creating and managing Dependabot 自動トリアージルール
Grouping Dependabot security updates
Enabling dependency updates on GitHub Actions runners
Configuring the runner type for Dependabot
Granting Dependabot access to private repositories

Creating and managing Dependabot 自動トリアージルール

You can create and manage Dependabot 自動トリアージルール to instruct Dependabot to automatically dismiss or snooze Dependabot alerts, and even open pull requests to attempt to resolve them. To configure Dependabot 自動トリアージルール, click , then create or edit a rule:

You can create a new rule by clicking New rule, then entering the details for your rule and clicking Create rule.
You can edit an existing rule by clicking , then making the desired changes and clicking Save rule.

For more information on Dependabot 自動トリアージルール, see Dependabot 自動トリアージルールについて and 自動トリアージルールをカスタマイズして Dependabot アラートの優先度を設定する.

Grouping Dependabot security updates

Dependabot can group all automatically suggested security updates into a single pull request. To enable grouped security updates, select Grouped security updates. For more information about grouped updates and customization options, see Dependabot セキュリティの更新の構成.

Enabling dependency updates on GitHub Actions runners

If both Dependabot and GitHub Actions are enabled for existing repositories in your organization, GitHub will automatically use GitHub-hosted runners to run dependency updates for those repositories.

Otherwise, to allow Dependabot to use GitHub Actions runners to perform dependency updates for all existing repositories in the organization, select "Dependabot on Actions runners".

For more information, see GitHub Actions ランナーの Dependabot について.

Configuring the runner type for Dependabot

You can configure which type of runner Dependabot uses to scan for version and security updates. By default, Dependabot uses standard GitHub-hosted runners. You can configure Dependabot to use self-hosted runners with custom labels, which allows you to integrate with existing runner infrastructure such as Actions Runner Controller (ARC).

メモ

For security reasons, Dependabot uses GitHub-hosted runners for public repositories, even when you configure labeled runners.
Labeled runners do not work for public repositories.

To configure the runner type:

Under "Dependabot", next to "Runner type", select .
In the "Edit runner type for Dependabot" dialog, select the runner type you want Dependabot to use:
- Standard GitHub runner.
- Labeled runner: If you select this option, Dependabot will use self-hosted runners that match the label you specify.
If you selected Labeled runner:
- In "Runner label", enter the label assigned to your self-hosted runners. Dependabot will use runners with this label. By default, the dependabot label is used, but you can specify a custom label to match your existing runner infrastructure.
- Optionally, in "Runner group name", enter the name of a runner group if you want to target a specific group of runners.
Click Save runner selection.

For more information about configuring self-hosted runners for Dependabot, see セルフホステッドランナーでの Dependabot の管理.

Granting Dependabot access to private repositories

To update private dependencies of repositories in your organization, Dependabot needs access to those repositories. To grant Dependabot access to the desired private repository, scroll down to the "Grant Dependabot access to private repositories" section, then use the search bar to find and select the desired repository. Be aware that granting Dependabot access to a repository means all users in your organization will have access to the contents of that repository through Dependabot updates. For more information about the supported ecosystems for private repositories, see Dependabot でサポートされているエコシステムとリポジトリ.

Configuring global code scanning settings

Code scanning は、GitHub リポジトリ内のコードを分析して、セキュリティの脆弱性とコーディングエラーを見つけることができる機能です。分析によって特定された問題は、リポジトリに表示されます。

You can customize several global settings for code scanning:

Enabling Copilotの自動修正 for CodeQL
Recommending the extended query suite for default setup
Expanding CodeQL analysis

Recommending the extended query suite for default setup

Code scanning offers specific groups of CodeQL queries, called CodeQL query suites, to run against your code. By default, the "Default" query suite is run. GitHub also offers the "Extended" query suite, which contains all the queries in the "Default" query suite, plus additional queries with lower precision and severity. To suggest the "Extended" query suite across your organization, select Recommend the extended query suite for repositories enabling default setup. For more information on built-in query suites for CodeQL default setup, see CodeQL クエリスイート.

Enabling Copilotの自動修正 for CodeQL

You can select Copilotの自動修正 to enable Copilotの自動修正 for all the repositories in your organization that use CodeQL default setup or CodeQL advanced setup. Copilotの自動修正 is an expansion of code scanning that suggests fixes for code scanning alerts. For more information, see コードスキャンにおける Copilot Autofix の責任ある使用.

Expanding CodeQL analysis

You can expand CodeQL analysis coverage for all repositories in your organization that use default setup by configuring CodeQL model packs. Model packs extend the CodeQL analysis to recognize additional frameworks and libraries that are not included in the standard CodeQL libraries. This global configuration applies to repositories using default setup and allows you to specify model packs published via the container registry. For more information, see 既定のセットアップの構成を編集する.

Configuring global secret scanning settings

Secret scanning は、リポジトリの Git 履歴全体をスキャンするセキュリティツールです。これにより、リポジトリ内の問題、プルリクエスト、ディスカッション、ウィキで、誤ってコミットされたトークンや秘密鍵などの漏えいした機密情報を検出します。

You can customize several global settings for secret scanning:

Adding a resource link for blocked commits
Defining custom patterns
Specifying patterns to include in push protection

Adding a resource link for blocked commits

To provide context for developers when secret scanning blocks a commit, you can display a link with more information on why the commit was blocked. To include a link, select Add a resource link in the CLI and the web UI when a commit is blocked. In the text box, type the link to the desired resource, then click Save Link.

Defining custom patterns

You can define custom patterns for secret scanning with regular expressions. Custom patterns can identify secrets that are not detected by the default patterns supported by secret scanning. To create a custom pattern, click New pattern, then enter the details for your pattern and click Save and dry run. For more information on custom patterns, see シークレットスキャンのカスタムパターンの定義.

Specifying patterns to include in push protection

メモ

現在、Enterprise および organization レベルでのプッシュ保護のパターンの構成はパブリックプレビュー段階であり、変更される可能性があります。

You can customize which secret patterns are included in push protection, giving security teams greater control over what types of secrets are blocked in the repositories in your organization.

Under "Additional settings", in the "Secret scanning" section and to the right of "Pattern configurations", click .

In the page that gets displayed, make the desired changes in the "Organization setting" column. 関連する列のトグルを使用して、個々のパターンのプッシュ保護を有効または無効にすることができます (Enterprise レベルでは [Enterprise setting]、organization レベルでは [Organization setting])。

データはスコープに制限されているため、アラートボリューム、誤検知、バイパス率、またはカスタムパターンの可用性には、Enterprise または organization 内のユーザーまたはアラートアクティビティが反映されます。

GitHub の既定値は、精度の向上やパターンのレベル上げに伴い、時間の経過とともに変わる可能性があります。

メモ

Organization の管理者とセキュリティチームは、Enterprise レベルで構成された設定をオーバーライドできます。

列	説明
Name	パターンまたはシークレットの名前
Alert total	パターンに関するアラートの合計数 (割合と絶対数)
偽陽性の数	パターンの誤検知の割合
Bypass rate	パターンのバイパスの割合
GitHub default	GitHub で推奨されるプッシュ保護の既定の動作
Enterprise setting	Organization レベルでは編集不可プッシュ保護の現在の有効化状態 `Enabled`、`Disabled`、`Default` にすることができます。 Enterprise レベルでは、`Default` が既定値です。
Organization setting	Organization レベルでのみ有効プッシュ保護の現在の有効化状態 `Enabled`、`Disabled`、`Enterprise` (Enterprise から継承) にすることができます。既定値は `Enterprise` です。

Creating security managers for your organization

The security manager role grants members of your organization the ability to manage security settings and alerts across your organization. Security managers can view data for all repositories in your organization through security overview.

To learn more about the security manager role, see Organizationでのセキュリティマネージャーの管理.

To assign the security manager role, see 組織の役割の使用.