Skip to main content

Эта версия GitHub Enterprise Server была прекращена 2024-09-25. Исправления выпускаться не будут даже при критических проблемах безопасности. Для повышения производительности, повышения безопасности и новых функций выполните обновление до последней версии GitHub Enterprise Server. Чтобы получить справку по обновлению, обратитесь в службу поддержки GitHub Enterprise.

Оценка внедрения функций безопасности кода

Вы можете использовать обзор безопасности, чтобы узнать, какие команды и репозитории уже включили функции безопасности кода и определить, какие команды еще не защищены.

Кто может использовать эту функцию?

Требуется доступ:

  • Представления организации: доступ на запись к репозиториям в организации
  • Корпоративные представления: владелец организации и менеджеры по безопасности

Note

The "Security risk" and "Security coverage" views are currently in beta and subject to change.

About adoption of code security features

You can use security overview to see which repositories and teams have already enabled each code security feature, and where people need more encouragement to adopt these features. The "Security coverage" view shows a summary and detailed information on feature enablement for an organization. You can filter the view to show a subset of repositories using the "enabled" and "not enabled" links, the "Teams" dropdown menu, and a search field in the page header.

Screenshot of the header section of the "Security coverage" view on the "Security" tab for an organization.

Note

"Pull request alerts" are reported as enabled only when code scanning has analyzed at least one pull request since alerts were enabled for the repository.

Viewing the enablement of code security features for an organization

You can view data to assess the enablement of code security features across repositories in an organization.

  1. On GitHub, navigate to the main page of the organization.

  2. Under your organization name, click Security.

    Screenshot of the horizontal navigation bar for an organization. A tab, labeled with a shield icon and "Security," is outlined in dark orange.

  3. To display the "Security coverage" view, in the sidebar, click Coverage.

  4. Use options in the page summary to filter results to show the repositories you want to assess. The list of repositories and metrics displayed on the page automatically update to match your current selection. For more information on filtering, see "Filtering alerts in security overview."

    • Use the Teams dropdown to show information only for the repositories owned by one or more teams. For more information, see "Managing team access to an organization repository."
    • Click NUMBER enabled or NUMBER not enabled in the header for any feature to show only the repositories with that feature enabled or not enabled.
    • At the top of the list of repositories, click NUMBER Archived to show only repositories that are archived.
    • Click in the search box to add further filters to the repositories displayed.

    Screenshot of the "Security coverage" view. The options for filtering are outlined in dark orange.

  5. Optionally, click Security settings to enable code security features for a repository and click Save security settings to confirm the changes. If a feature is not shown, it has more complex configuration requirements and you need to use the repository settings dialog. For more information, see Quickstart for securing your repository.

  6. Optionally, select some or all of the repositories that match your current search and click Security settings in the table header to display a side panel where you can enable security features for the selected repositories. When you've finished, click Apply changes to confirm the changes. For more information, see Enabling security features for multiple repositories.

In the list of repositories, a "Paused" label under "Dependabot" indicates repositories for which Dependabot updates are paused. For information about inactivity criteria, see About Dependabot security updates and About Dependabot version updates, for security and version updates, respectively.

Viewing the enablement of code security features for an enterprise

You can view data to assess the enablement of code security features across organizations in an enterprise.

In the enterprise-level view, you can view data about the enablement of features, but you cannot enable or disable features.

  1. In the top-right corner of GitHub Enterprise Server, click your profile photo, then click Enterprise settings.

    Screenshot of the drop-down menu that appears when you click the profile photo on GitHub Enterprise Server. The "Enterprise settings" option is highlighted in a dark orange outline.

  2. On the left side of the page, in the enterprise account sidebar, click Code Security.

  3. To display the "Security coverage" view, in the sidebar, click Coverage.

  4. Use options in the page summary to filter results to show the repositories you want to assess. The list of repositories and metrics displayed on the page automatically update to match your current selection. For more information on filtering, see "Filtering alerts in security overview."

    • Use the Teams dropdown to show information only for the repositories owned by one or more teams. For more information, see "Managing team access to an organization repository."
    • Click NUMBER enabled or NUMBER not enabled in the header for any feature to show only the repositories with that feature enabled or not enabled.
    • At the top of the list of repositories, click NUMBER Archived to show only repositories that are archived.
    • Click in the search box to add further filters to the repositories displayed.

    Screenshot of the header section of the "Security coverage" view. The options for filtering are outlined in dark orange.

Tip

You can use the owner filter in the search field to filter the data by organization. For more information, see Filtering alerts in security overview.

Interpreting and acting on the enablement data

Some code security features can and should be enabled on all repositories. For example, secret scanning alerts and push protection reduce the risk of a security leak no matter what information is stored in the repository. If you see repositories that don't already use these features, you should either enable them or discuss an enablement plan with the team who owns the repository. For information on enabling features for a whole organization, see Managing security and analysis settings for your organization. For information on enabling features across your entire enterprise, see Managing GitHub Advanced Security features for your enterprise.

Other features are not available for use in all repositories. For example, there would be no point in enabling Dependabot or code scanning for repositories that only use ecosystems or languages that are unsupported. As such, it's normal to have some repositories where these features are not enabled.

Your enterprise may also have configured policies to limit the use of some code security features. For more information, see Enforcing policies for code security and analysis for your enterprise.