About custom security configurations
We recommend securing your organization with the GitHub-recommended security configuration, then evaluating the security findings on your repositories before configuring custom security configurations. For more information, see "在组织中应用 GitHub 建议的安全配置."
With custom security configurations, you can create collections of enablement settings for GitHub's security products to meet the specific security needs of your organization. For example, you can create a different custom security configuration for each group of repositories to reflect their different levels of visibility, risk tolerance, and impact.
Creating a custom security configuration
Note
The enablement status of some security features is dependent on other, higher-level security features. For example, disabling dependency graph will also disable Dependabot, vulnerability exposure analysis, and security updates. For security configurations, dependent security features are indicated with indentation and .
-
在 GitHub 的右上角,选择个人资料照片,然后单击 “你的组织”。
-
在组织名称下,单击 “设置”****。 如果看不到“设置”选项卡,请选择“”下拉菜单,然后单击“设置”********。
-
在边栏的“安全性”部分中,选择“代码安全”下拉菜单,然后单击“配置”。
-
In the "Code security configurations" section, click New configuration.
-
To help identify your custom security configuration and clarify its purpose on the "Code security configurations" page, name your configuration and create a description.
-
In the "GitHub Advanced Security features" row, choose whether to include or exclude GitHub Advanced Security (GHAS) features. If you plan to apply a custom security configuration with GHAS features to private repositories, you must have available GHAS licenses for each active unique committer to those repositories, or the features will not be enabled. See "关于 GitHub 高级安全的计费."
-
In the "Dependency graph" section of the security settings table, choose whether you want to enable, disable, or keep the existing settings for the following security features:
-
Dependency graph. To learn about dependency graph, see "关于依赖关系图."
-
Automatic dependency submission. To learn about automatic dependency submission, see "为存储库配置自动依赖项提交."
-
Dependabot. To learn about Dependabot, see "关于 Dependabot 警报."
-
Security updates. To learn about security updates, see "关于 Dependabot 安全更新."
Note
You cannot manually change the enablement settings for vulnerable function calls. If GitHub Advanced Security features and Dependabot alerts are enabled, vulnerable function calls is also enabled. Otherwise, it is disabled.
-
-
In the "Code scanning" section of the security settings table, choose whether you want to enable, disable, or keep the existing settings for code scanning default setup. To learn about default setup, see "配置代码扫描的默认设置."
-
In the "Secret scanning" section of the security settings table, choose whether you want to enable, disable, or keep the existing settings for the following security features:
- Secret scanning. To learn about secret scanning, see "关于机密扫描."
- Validity check. To learn more about validity checks for partner patterns, see "评估来自机密扫描的警报".
- Non-provider patterns. To learn more about scanning for non-provider patterns, see "支持的机密扫描模式" and "查看和筛选机密扫描警报."
- Push protection. To learn about push protection, see "关于推送保护."
-
Optionally, under "Push protection", choose whether you want to assign bypass privileges to selected actors in your organization. By assigning bypass privileges, selected organization members can bypass push protection, and there is a review and approval process for all other contributors. For further guidance on how to configure this setting, see "启用推送保护委派绕过."
-
In the "Private vulnerability reporting" section of the security settings table, choose whether you want to enable, disable, or keep the existing settings for private vulnerability reporting. To learn about private vulnerability reporting, see "为存储库配置私人漏洞报告."
-
Optionally, in the "Policy" section, you can choose to automatically apply the security configuration to newly created repositories depending on their visibility. Select the None dropdown menu, then click Public, or Private and internal, or both.
注意: 组织的默认 security configuration 仅自动应用到组织内新创建的存储库。 如果将存储库传输到组织,则仍需将适当的 security configuration 手动应用到存储库。
-
Optionally, in the "Policy" section, you can enforce the configuration and block repository owners from changing features that are enabled or disabled by the configuration (features that are not set aren't enforced). Next to "Enforce configuration", select Enforce from the dropdown menu.
Note
如果组织中的用户尝试使用 REST API 更改强制配置中某个功能的启用状态,则 API 调用将显示为成功,但不会更改任何启用状态。
在某些情况下,可能会中断存储库的 security configurations 强制实施。 例如,在以下情况下,code scanning 的启用将不适用于存储库:
- GitHub Actions 最初在存储库上启用,但在存储库中禁用。
- code scanning 配置所需的 GitHub Actions 在存储库中不可用。
- 不应使用 code scanning 默认设置分析语言的定义已更改。
-
To finish creating your custom security configuration, click Save configuration.
Next steps
To apply your custom security configuration to repositories in your organization, see "删除自定义安全配置."
若要了解如何编辑 custom security configuration,请参阅“编辑自定义安全配置”。