Creating a custom security configuration for your enterprise

About custom security configurations

We recommend securing your enterprise with the GitHub-recommended security configuration, then evaluating the security findings on your repositories before configuring custom security configurations. For more information, see Applying the GitHub-recommended security configuration to your enterprise.

With custom security configurations, you can create collections of enablement settings for GitHub's security products to meet the specific security needs of your enterprise. For example, you can create a different custom security configuration for each organization or group of organizations to reflect their unique security requirements and compliance obligations.

Creating a custom security configuration

1. GitHub의 오른쪽 위 모서리에서 프로필 사진을 클릭합니다.

2. 사용자 환경에 따라 사용자 엔터프라이즈를 클릭하거나 사용자 엔터프라이즈를 클릭한 다음, 보고 싶은 엔터프라이즈를 클릭합니다.

3. 페이지 왼쪽의 엔터프라이즈 계정 사이드바에서 설정을 클릭합니다.

4. In the left sidebar, click Code security.

5. In the "Configurations" section, click New configuration.

6. To help identify your custom security configuration and clarify its purpose on the "Configurations" page, name your configuration and create a description.

7. In the "GitHub Advanced Security features" row, choose whether to include or exclude GitHub Advanced Security (GHAS) features. If you plan to apply a custom security configuration with GHAS features to private repositories, you must have available GHAS licenses for each active unique committer to those repositories, or the features will not be enabled. See GitHub Advanced Security 요금 청구 정보.

8. In the "Dependency graph and Dependabot" section of the security settings table, choose whether you want to enable, disable, or keep the existing settings for the following security features:

   • Dependency graph. To learn about dependency graph, see 종속성 그래프 정보.

   • Automatic dependency submission. To learn about automatic dependency submission, see 리포지토리에 대한 자동 종속성 제출 구성.

   • Dependabot alerts. To learn about Dependabot alerts, see Dependabot 경고 정보.

   • Security updates. To learn about security updates, see Dependabot 보안 업데이트 정보.

   Note

   You cannot manually change the enablement settings for vulnerable function calls. If GitHub Advanced Security features and Dependabot alerts are enabled, vulnerable function calls is also enabled. Otherwise, it is disabled.

9. In the "Code scanning" section of the security settings table, choose whether you want to enable, disable, or keep the existing settings for code scanning default setup. To learn about default setup, see 코드 스캔을 위한 기본 설정 구성.

10. In the "Secret scanning" section of the security settings table, choose whether you want to enable, disable, or keep the existing settings for the following security features:

    • Alerts. To learn about secret scanning, see 비밀 검사 정보.
    • Non-provider patterns. To learn more about scanning for non-provider patterns, see 지원되는 비밀 검사 패턴 and 비밀 스캔에서 경고 보기 및 필터링.
    • Push protection. To learn about push protection, see 푸시 보호 정보.

11. In the "Private vulnerability reporting" section of the security settings table, choose whether you want to enable, disable, or keep the existing settings for private vulnerability reporting. To learn about private vulnerability reporting, see 리포지토리에 대한 프라이빗 취약성 보고 구성.

12. Optionally, in the "Policy" section, you can choose to automatically apply the security configuration to newly created repositories depending on their visibility. Select the None dropdown menu, then click Public, Private and internal, or All repositories.

13. Optionally, in the "Policy" section, you can enforce the configuration and block repository owners from changing features that are enabled or disabled by the configuration (features that are not set aren't enforced). Next to "Enforce configuration", select Enforce from the dropdown menu.

    Note

    If a user in your enterprise attempts to change the enablement status of a feature in an enforced configuration using the REST API, the API call will appear to succeed, but no enablement statuses will change.

    Some situations can break the enforcement of security configurations for a repository. For example, the enablement of code scanning will not apply to a repository if:

    • GitHub Actions is initially enabled on the repository, but is then disabled in the repository.
    • GitHub Actions required by code scanning configurations are not available in the repository.
    • The definition for which languages should not be analyzed using code scanning default setup is changed.

14. To finish creating your custom security configuration, click Save configuration.

Next steps

To optionally configure additional secret scanning settings for the enterprise, see Configuring additional secret scanning settings for your enterprise.

To apply your custom security configuration to repositories in your organization, see 사용자 지정 보안 구성 적용.

custom security configuration을(를) 편집하는 방법을 알아보려면 "사용자 지정 보안 구성 편집"을 참조하세요.