Enabling GitHub Advanced Security for your enterprise

You can configure GitHub Enterprise Server to include GitHub Advanced Security. This provides extra features that help users find and fix security problems in their code.

谁可以使用此功能?

GitHub Advanced Security 可用于 GitHub Enterprise Cloud 和 GitHub Enterprise Server 上的企业帐户。有关详细信息,请参阅“GitHub 的计划”。

有关 GitHub Advanced Security for Azure DevOps 的信息,请参阅 Microsoft Learn 中的配置 GitHub Advanced Security for Azure DevOps

本文内容

About enabling GitHub Advanced Security

GitHub Advanced Security 帮助开发者改善和维护代码的安全性和质量。 有关详细信息,请参阅“关于 GitHub 高级安全性”。

When you enable GitHub Advanced Security for your enterprise, repository administrators in all organizations can enable the features unless you set up a policy to restrict access. For more information, see "Enforcing policies for code security and analysis for your enterprise."

还可以通过 API 启用或禁用 Advanced Security 功能。 有关详细信息,请参阅 REST API 文档中的“适用于机密扫描的 REST API 终结点”。

For guidance on a phased deployment of GitHub Advanced Security, see "大规模采用 GitHub 高级安全性简介."

Checking whether your license includes GitHub Advanced Security

  1. 在 GitHub Enterprise Server 的右上角,单击你的个人资料照片,然后单击“企业设置”****。

    单击 GitHub Enterprise Server 上的个人资料照片时显示的下拉菜单的屏幕截图。 “企业设置”选项以深橙色边框突出显示。

  2. 在企业帐户边栏中,单击“设置”。

  3. “设置”下,单击“许可证”。

  4. If your license includes GitHub Advanced Security, the license page includes a section showing details of current usage.

Prerequisites for enabling GitHub Advanced Security

  1. Upgrade your license for GitHub Enterprise Server to include GitHub Advanced Security. For information about licensing, see "关于 GitHub 高级安全的计费."

  2. Download the new license file. For more information, see "下载 GitHub Enterprise 许可证."

  3. Upload the new license file to 你的 GitHub Enterprise Server 实例. For more information, see "将新许可证上传到 GitHub Enterprise Server."

  4. Review the prerequisites for the features you plan to enable.

Enabling and disabling GitHub Advanced Security features

警告:更改此设置将导致 GitHub Enterprise Server 上面向用户的服务重新启动。 你应仔细安排此更改的时间,以最大程度地减少用户的停机时间。

  1. 在 GitHub Enterprise Server 上的管理帐户中,在任一页面的右上角,单击

  2. 如果你尚未在“站点管理员”页上,请在左上角单击“站点管理员”。

  3. 在“ 站点管理”边栏中,单击“管理控制台”。

  4. 在“设置”边栏中,单击“安全”。

  5. Under "Security," select the features that you want to enable and deselect any features you want to disable.

  6. 在“设置”边栏下,单击“保存设置”。

    注意:保存 管理控制台 中的设置会重启系统服务,这可能会导致用户可察觉的停机时间。

  7. 等待配置运行完毕。

When GitHub Enterprise Server has finished restarting, you're ready to set up any additional resources required for newly enabled features. For more information, see "Configuring code scanning for your appliance."

Enabling or disabling GitHub Advanced Security features via the administrative shell (SSH)

You can enable or disable features programmatically on 你的 GitHub Enterprise Server 实例. For more information about the administrative shell and command-line utilities for GitHub Enterprise Server, see "访问管理 shell (SSH)" and "命令行实用程序."

For example, you can enable any GitHub Advanced Security feature with your infrastructure-as-code tooling when you deploy an instance for staging or disaster recovery.

  1. 通过 SSH 连接到 你的 GitHub Enterprise Server 实例。 如果实例包含多个节点,例如,如果配置了高可用性或异地复制,则通过 SSH 连接到主节点。 如果使用群集,则可以通过 SSH 连接到任何节点。 将 HOSTNAME 替换为实例的主机名,或节点的主机名或 IP 地址。 有关详细信息,请参阅“访问管理 shell (SSH)”。

    Shell
    ssh -p 122 admin@HOSTNAME

  2. Enable features for GitHub Advanced Security.

    • To enable code scanning, enter the following commands.

      Shell
      ghe-config app.minio.enabled true
ghe-config app.code-scanning.enabled true

    • To enable secret scanning, enter the following command.

      Shell
      ghe-config app.secret-scanning.enabled true

    • To enable the dependency graph, enter the following command.

      Shell
      ghe-config app.dependency-graph.enabled true

  3. Optionally, disable features for GitHub Advanced Security.

    • To disable code scanning, enter the following commands.

      Shell
      ghe-config app.code-scanning.enabled false

      • Optionally, if you disable code scanning, you can also disable the internal MinIO service for GitHub Advanced Security. If Dependabot updates are enabled for the instance and you want to disable this service, you must also disable Dependabot updates. Disabling the service does not affect MinIO storage for GitHub Actions or GitHub Packages. For more information about Dependabot updates, see "Enabling Dependabot for your enterprise."

        • To disable Dependabot updates, enter the following command.

          Shell
          ghe-config app.dependabot.enabled false

        • To disable MinIO, enter the following command.

          Shell
          ghe-config app.minio.enabled false

    • To disable secret scanning, enter the following command.

      Shell
      ghe-config app.secret-scanning.enabled false

    • To disable the dependency graph, enter the following command.

      ghe-config app.dependency-graph.enabled false

  4. 若要应用配置,请运行以下命令。

    注意:在配置运行过程中,你的 GitHub Enterprise Server 实例 上的服务可能会重启,这可能会导致用户短暂停机。

    Shell
    ghe-config-apply

  5. 等待配置运行完毕。