Sugerencia
This article is part of a series on adopting GitHub Advanced Security at scale. For the previous article in this series, see Phase 4: Create internal documentation.
Puedes habilitar rápidamente las características de seguridad a gran escala con la GitHub-recommended security configuration, una colección de valores de configuración de habilitación de la seguridad que puedes aplicar a los repositorios de una organización. A continuación, puedes personalizar aún más las características de Advanced Security a nivel de organización con global settings. Consulta Habilitación de características de seguridad a gran escala.
Enabling code scanning
After piloting code scanning and creating internal documentation for best practices, you can enable code scanning across your company. You can configure code scanning default setup for all repositories in an organization from security overview. For more information, see Configuring default setup for code scanning at scale.
Para algunos lenguajes o sistemas de compilación, es posible que tenga que configurar en su lugar la configuración avanzada para code scanning para obtener una cobertura completa del código base. Sin embargo, la configuración avanzada requiere mucho más esfuerzo para configurar, personalizar y mantener, por lo que se recomienda habilitar primero la configuración predeterminada.
Building subject matter expertise
To successfully manage and use code scanning across your company, you should build internal subject matter expertise. For default setup for code scanning, one of the most important areas for subject matter experts (SMEs) to understand is interpreting and fixing code scanning alerts. For more information about code scanning alerts, see:
- Acerca de las alertas de análisis de código
- Evaluación de alertas de análisis de código para el repositorio
- Resolución de alertas de análisis de código
You'll also need SMEs if you need to use advanced setup for code scanning. These SMEs will need knowledge of code scanning alerts, as well as topics like GitHub Actions and customizing code scanning workflows for particular frameworks. For custom configurations of advanced setup, consider running meetings on complicated topics to scale the knowledge of several SMEs at once.
For code scanning alerts from CodeQL analysis, you can use security overview to see how CodeQL is performing in pull requests in repositories across your organization, and to identify repositories where you may need to take action. For more information, see Visualización de métricas para alertas de solicitud de incorporación de cambios.
With a GitHub Copilot para grandes empresas license, you can also ask Chat de GitHub Copilot for help to better understand code scanning alerts in repositories in your organization. For more information, see Preguntas a GitHub Copilot en GitHub.
Sugerencia
For the next article in this series, see Phase 6: Rollout and scale secret scanning.