About security findings
After you apply a security configuration to a repository, the enabled security features will likely raise security findings on that repository. These findings may show up as feature-specific alerts, or as automatically generated pull requests designed to keep your repositories secure. You can analyze the findings across the organization and make any necessary adjustments to your security configuration.
To best secure your organization, you should encourage contributors to review and resolve security alerts and pull requests.
Finding repositories with security alerts using security overview
安全概览显示的信息根据你对仓库和组织的访问权限而有所不同,也根据这些仓库和组织是否使用 Advanced Security 功能而有所不同。 有关详细信息,请参阅“关于安全概述”。
-
在 GitHub 上,导航到组织的主页面。
-
在组织名称下,单击“ Security”****。
-
By default, the overview shows alerts for all native GitHub tools (filter:
tool:github). To display alerts for a specific tool, replacetool:githubin the filter text box. For example:tool:dependabotto show only alerts for dependencies identified by Dependabot.tool:secret-scanningto only show alerts for secrets identified by secret scanning.tool:codeqlto show only alerts for potential security vulnerabilities identified by CodeQL code scanning.
-
You can add further filters to show only the repositories you want to assess. The list of repositories and metrics displayed on the page automatically update to match your current selection. For more information on filtering, see 筛选安全概述中的警报.
-
(可选)使用左侧的边栏更详细地浏览特定安全功能的警报。 在每个页面上,都可使用特定于相应功能的筛选器来优化搜索。 有关可用限定符的详细信息,请参阅 筛选安全概述中的警报。
Interpreting secret scanning alerts
Secret scanning 是一种安全工具,用于扫描存储库的整个 Git 历史记录, 以及这些存储库中的问题、 拉取请求和讨论,以查找因意外提交而泄露的机密,例如令牌或私钥。 You can view secret scanning alerts for an organization by navigating to the main page of that organization, clicking the Security tab, then clicking Secret scanning in the "Metrics" or "Alerts" section.
- Metrics. To see detailed information on push protection events, see Viewing metrics for secret scanning push protection.
- Alerts. To see detailed information on Default and Generic alerts for exposed secrets in the organization.
For an introduction to secret scanning alerts, see 关于机密扫描警报.
To learn how to evaluate secret scanning alerts, see 评估来自机密扫描的警报.
Interpreting code scanning alerts
Code scanning 是一项功能,可用于分析 GitHub 仓库中的代码,以查找安全漏洞和编码错误。 分析标识的任何问题都显示在存储库中。 These problems are raised as code scanning alerts, which contain detailed information on the vulnerability or error detected.
You can view the code scanning alerts for an organization by navigating to the main page of that organization, clicking the Security tab, then clicking:
- CodeQL pull request alerts. To see information on code scanning alerts found and remediated in pull requests.
- Code scanning. To see detailed information on alerts for potentially vulnerable code in the organization, see Viewing metrics for pull request alerts.
For an introduction to code scanning alerts, see 关于代码扫描警报.
To learn how to interpret and resolve code scanning alerts, see 评估存储库的代码扫描警报 and 解决代码扫描警报.
Interpreting Dependabot alerts
Dependabot alerts inform you about vulnerabilities in the dependencies that you use in repositories in your organization. You can view Dependabot alerts for an organization by navigating to the main page of that organization, clicking the Security tab, then clicking Dependabot.
For an introduction to Dependabot alerts, see 关于 Dependabot 警报.
To learn how to interpret and resolve Dependabot alerts, see 查看和更新 Dependabot 警报.
注意
If you enabled Dependabot security updates, Dependabot can also automatically raise pull requests to update the dependencies used in the repositories of the organization. For more information, see 关于 Dependabot 安全更新.
Next steps
If your findings indicate the security enablement settings are not meeting your needs, you can edit your existing configuration. For more information, see 编辑自定义安全配置.
Lastly, you can also edit your organization-level security settings with global settings. To learn more, see 配置组织的全局安全设置.