Skip to main content

Configurações de segurança globais para sua organização

Personalize os recursos de GitHub Advanced Security e crie gerenciadores de segurança para fortalecer a segurança da sua organização.

Quem pode usar esse recurso?

Proprietários e gerentes de segurança da organização podem gerenciar security configurations e global settings da organização.

Note: Security configurations and global settings are in beta and subject to change. To provide feedback on these features, see the feedback discussion.

To learn how to opt out of security configurations and global settings, see "Exploring early access releases with feature preview."

About global settings

Alongside security configurations, which determine repository-level security settings, you should also configure global settings for your organization. Global settings apply to your entire organization, and can customize GitHub Advanced Security features based on your needs. You can also create security managers on the global settings page to monitor and maintain your organization's security.

Accessing the global settings page for your organization

  1. In the upper-right corner of GitHub, select your profile photo, then click Your organizations.

  2. Under your organization name, click Settings. If you cannot see the "Settings" tab, select the dropdown menu, then click Settings.

    Screenshot of the tabs in an organization's profile. The "Settings" tab is outlined in dark orange.

  3. In the "Security" section of the sidebar, select the Code security dropdown menu, then click Global settings.

Configuring global Dependabot settings

Dependabot consists of three different features that help you manage your dependencies:

  • Dependabot alerts—inform you about vulnerabilities in the dependencies that you use in your repository.
  • Dependabot security updates—automatically raise pull requests to update the dependencies you use that have known security vulnerabilities.
  • Dependabot version updates—automatically raise pull requests to keep your dependencies up-to-date.

You can customize several global settings for Dependabot:

Creating and managing Dependabot auto-triage rules

You can create and manage Dependabot auto-triage rules to instruct Dependabot to automatically dismiss or snooze Dependabot alerts, and even open pull requests to attempt to resolve them. To configure Dependabot auto-triage rules, click , then create or edit a rule:

  • You can create a new rule by clicking New rule, then entering the details for your rule and clicking Create rule.
  • You can edit an existing rule by clicking , then making the desired changes and clicking Save rule.

For more information on Dependabot auto-triage rules, see "About Dependabot auto-triage rules" and "Customizing auto-triage rules to prioritize Dependabot alerts."

Grouping Dependabot security updates

Dependabot can group all automatically suggested security updates into a single pull request to reduce noise. To enable grouped security updates, select Grouped security updates. For more information about grouped updates and customization options, see "Configuring Dependabot security updates."

Enabling dependency updates on GitHub Actions runners

You can allow Dependabot to use GitHub Actions runners and the Dependabot action to perform dependency updates. To enable Dependabot for GitHub-hosted runners on all repositories in your organization, click Enable all. To automatically enable Dependabot for GitHub-hosted runners on new repositories in your organization, select Automatically enable for new repositories. For more information, see "About Dependabot on GitHub Actions runners."

To have greater control over Dependabot's access to your private registries and internal network resources, you can configure Dependabot to run on GitHub Actions self-hosted runners. For more information, see "About Dependabot on GitHub Actions runners" and "Managing Dependabot on self-hosted runners."

Granting Dependabot access to private and internal repositories

To update private dependencies of repositories in your organization, Dependabot needs access to those repositories. To grant Dependabot access to the desired private or internal repository, scroll down to the "Grant Dependabot access to private repositories" section, then use the search bar to find and select the desired repository. Be aware that granting Dependabot access to a repository means all users in your organization will have access to the contents of that repository through Dependabot updates. For more information about the supported ecosystems for private repositories, see "About Dependabot version updates."

Configuring global code scanning settings

Code scanning is a feature that you use to analyze the code in a GitHub repository to find security vulnerabilities and coding errors. Any problems identified by the analysis are shown in your repository.

You can customize several global settings for code scanning:

Recommending the extended query suite for default setup

Code scanning offers specific groups of CodeQL queries, called CodeQL query suites, to run against your code. By default, the "Default" query suite is run. GitHub also offers the "Extended" query suite, which contains all the queries in the "Default" query suite, plus additional queries with lower precision and severity. To suggest the "Extended" query suite across your organization, select Recommend the extended query suite for repositories enabling default setup. For more information on built-in query suites for CodeQL default setup, see "CodeQL query suites."

Enabling autofix for CodeQL

You can select Autofix for CodeQL to enable autofix for all the repositories in your organization that use CodeQL default setup or CodeQL advanced setup. Autofix is a GitHub Copilot-powered expansion of code scanning that suggests fixes for code scanning alerts in pull requests. For more information, see "About autofix for CodeQL code scanning."

Setting a failure threshold for code scanning checks in pull requests

You can choose the severity levels at which code scanning check runs on pull requests will fail. To choose a security severity level, select the Security: SECURITY-SEVERITY-LEVEL dropdown menu, then click a security severity level. To choose an alert severity level, select the OTHER: ALERT-SEVERITY-LEVEL dropdown menu, then click an alert severity level. For more information, see "About code scanning alerts."

Configuring global secret scanning settings

Secret scanning is a security tool that scans the entire Git history of your repository, as well as issues, pull requests, and discussions in that repository, for leaked secrets that have been accidentally committed, such as tokens or private keys.

You can customize several global settings for secret scanning:

Verifying partner pattern secrets automatically

To reduce the rate of false positive secret scanning alerts, you can automatically verify the validity of some partner pattern secrets by sending each secret to the provider. To enable this automatic verification, select Automatically verify if a secret is valid by sending it to the relevant partner. For information on which partners support validity checks, see "Managing alerts from secret scanning."

Scanning for non-provider patterns

You can choose to scan for non-provider patterns, such as private keys, to detect non-provider secrets before they are leaked. To enable these scans, select Scan for non-provider patterns. Be aware that non-provider tokens often have a higher rate of false positives. To learn more about non-provider patterns, see "Secret scanning patterns" and "Managing alerts from secret scanning."

Note: The detection of non-provider patterns is currently in beta and subject to change.

To provide context for developers when secret scanning blocks a commit, you can display a link with more information on why the commit was blocked. To include a link, select Add a resource link in the CLI and the web UI when a commit is blocked. In the text box, type the link to the desired resource, then click Save.

Defining custom patterns

You can define custom patterns for secret scanning with regular expressions. Custom patterns can identify secrets that are not detected by the default patterns supported by secret scanning. To create a custom pattern, click New pattern, then enter the details for your pattern and click Save and dry run. For more information on custom patterns, see "Defining custom patterns for secret scanning."

Creating security managers for your organization

The security manager role grants members of your organization the ability to manage security settings and alerts across your organization. To grant all members of a team the security manager role, in the "Search for teams" text box, type the name of the desired team. In the dropdown menu that appears, click the team, then click I understand, grant security manager permissions.

Security managers can view data for all repositories in your organization through security overview. To learn more about the security manager role, see "Managing security managers in your organization."