Configuring global security settings for your organization

Customize Advanced Security features to strengthen the security of your organization.

谁可以使用此功能?

具有管理员角色的组织所有者、安全管理员和组织成员

本文内容

About global settings

Alongside security configurations, which determine repository-level security settings, you should also configure global settings for your organization. Global settings apply to your entire organization, and can customize Advanced Security features based on your needs.

Accessing the global settings page for your organization

  1. 在 GitHub 的右上角,单击个人资料图片,然后单击“ Your organizations”****。

  2. 在组织名称下,单击 “Settings”****。 如果看不到“设置”选项卡,请选择“”下拉菜单,然后单击“设置”********。

    组织配置文件中选项卡的屏幕截图。 “设置”选项卡以深橙色标出。

  3. In the "Security" section of the sidebar, select the Advanced Security dropdown menu, then click Global settings.

Configuring global Dependabot settings

Dependabot 由三种不同的功能组成,可帮助你管理依赖项:

  • Dependabot alerts:就存储库中使用的依赖项中的漏洞问题通知你。
  • Dependabot security updates:自动引发拉取请求,以更新你使用的具有已知安全漏洞的依赖项。
  • Dependabot version updates:自动引发拉取请求以使依赖项保持最新。

You can customize several global settings for Dependabot:

Creating and managing Dependabot 自动分类规则

You can create and manage Dependabot 自动分类规则 to instruct Dependabot to automatically dismiss or snooze Dependabot alerts, and even open pull requests to attempt to resolve them. To configure Dependabot 自动分类规则, click , then create or edit a rule:

  • You can create a new rule by clicking New rule, then entering the details for your rule and clicking Create rule.
  • You can edit an existing rule by clicking , then making the desired changes and clicking Save rule.

For more information on Dependabot 自动分类规则, see 关于 Dependabot 自动分类规则 and 自定义自动分类规则以确定 Dependabot 警报的优先级.

Grouping Dependabot security updates

Dependabot can group all automatically suggested security updates into a single pull request. To enable grouped security updates, select Grouped security updates. For more information about grouped updates and customization options, see 配置 Dependabot 安全更新.

Enabling dependency updates on GitHub Actions runners

If both Dependabot and GitHub Actions are enabled for existing repositories in your organization, GitHub will automatically use GitHub-hosted runners to run dependency updates for those repositories.

Otherwise, to allow Dependabot to use GitHub Actions runners to perform dependency updates for all existing repositories in the organization, select "Dependabot on Actions runners".

For more information, see 关于 GitHub Actions 运行程序上的 Dependabot.

Configuring the runner type for Dependabot

You can configure which type of runner Dependabot uses to scan for version and security updates. By default, Dependabot uses standard GitHub-hosted runners. You can configure Dependabot to use self-hosted runners with custom labels, which allows you to integrate with existing runner infrastructure such as Actions Runner Controller (ARC).

注意

  • For security reasons, Dependabot uses GitHub-hosted runners for public repositories, even when you configure labeled runners.
  • Labeled runners do not work for public repositories.

To configure the runner type:

  1. Under "Dependabot", next to "Runner type", select .
  2. In the "Edit runner type for Dependabot" dialog, select the runner type you want Dependabot to use:
    • Standard GitHub runner.
    • Labeled runner: If you select this option, Dependabot will use self-hosted runners that match the label you specify.
  3. If you selected Labeled runner:
    • In "Runner label", enter the label assigned to your self-hosted runners. Dependabot will use runners with this label. By default, the dependabot label is used, but you can specify a custom label to match your existing runner infrastructure.
    • Optionally, in "Runner group name", enter the name of a runner group if you want to target a specific group of runners.
  4. Click Save runner selection.

For more information about configuring self-hosted runners for Dependabot, see 在自托管运行器上管理 Dependabot.

Granting Dependabot access to private and internal repositories

To update private dependencies of repositories in your organization, Dependabot needs access to those repositories. To grant Dependabot access to the desired private or internal repository, scroll down to the "Grant Dependabot access to private repositories" section, then use the search bar to find and select the desired repository. Be aware that granting Dependabot access to a repository means all users in your organization will have access to the contents of that repository through Dependabot updates. For more information about the supported ecosystems for private repositories, see Dependabot 支持的生态系统和存储库.

Configuring global code scanning settings

Code scanning 是一项功能,可用于分析 GitHub 仓库中的代码,以查找安全漏洞和编码错误。 分析标识的任何问题都显示在存储库中。

You can customize several global settings for code scanning:

Recommending the extended query suite for default setup

Code scanning offers specific groups of CodeQL queries, called CodeQL query suites, to run against your code. By default, the "Default" query suite is run. GitHub also offers the "Extended" query suite, which contains all the queries in the "Default" query suite, plus additional queries with lower precision and severity. To suggest the "Extended" query suite across your organization, select Recommend the extended query suite for repositories enabling default setup. For more information on built-in query suites for CodeQL default setup, see CodeQL 查询套件.

Enabling Copilot Autofix for CodeQL

You can select Copilot Autofix to enable Copilot Autofix for all the repositories in your organization that use CodeQL default setup or CodeQL advanced setup. Copilot Autofix is an expansion of code scanning that suggests fixes for code scanning alerts. For more information, see 负责任地使用 Copilot Autofix 进行代码扫描.

Expanding CodeQL analysis

You can expand CodeQL analysis coverage for all repositories in your organization that use default setup by configuring CodeQL model packs. Model packs extend the CodeQL analysis to recognize additional frameworks and libraries that are not included in the standard CodeQL libraries. This global configuration applies to repositories using default setup and allows you to specify model packs published via the container registry. For more information, see 编辑默认设置配置.

Configuring global secret scanning settings

Secret scanning 是一种安全工具,用于扫描存储库的整个 Git 历史记录, 以及这些存储库中的问题、 拉取请求、 讨论和 wikis,以查找因意外提交而泄露的机密,例如令牌或私钥。

You can customize several global settings for secret scanning:

To provide context for developers when secret scanning blocks a commit, you can display a link with more information on why the commit was blocked. To include a link, select Add a resource link in the CLI and the web UI when a commit is blocked. In the text box, type the link to the desired resource, then click Save Link.

Defining custom patterns

You can define custom patterns for secret scanning with regular expressions. Custom patterns can identify secrets that are not detected by the default patterns supported by secret scanning. To create a custom pattern, click New pattern, then enter the details for your pattern and click Save and dry run. For more information on custom patterns, see 为机密扫描定义自定义模式.

Specifying patterns to include in push protection

注意

企业和组织级别的推送保护模式配置目前处于 公共预览版,可能会发生变化。

You can customize which secret patterns are included in push protection, giving security teams greater control over what types of secrets are blocked in the repositories in your organization.

  1. Under "Additional settings", in the "Secret scanning" section and to the right of "Pattern configurations", click .

  2. In the page that gets displayed, make the desired changes in the "Organization setting" column. 可以使用相关列中的切换按钮为单个模式启用或禁用推送保护:企业级别为“Enterprise setting”,组织级别为“Organization setting”。

    数据受范围限制,因此警报量、误报、绕过率或自定义模式的可用性反映了企业或组织中的用户/警报活动。____

    随着我们提高精准率并推广模式,GitHub 默认值可能会随时间而变化。

    注意

    组织管理员和安全团队可以替代企业级别配置的设置。

    说明
    Name模式或机密名称
    警报总数模式的警报总数(百分比和绝对数)
    假正模式的误报百分比
    绕过率模式的绕过百分比
    GitHub 默认值推送保护的默认行为(由 GitHub 建议)
    企业设置在组织级别不可编辑****
    推送保护的当前启用状态
    可以是 EnabledDisabledDefault
    在企业级别,Default 是默认值。
    组织设置仅在组织级别有效****
    推送保护的当前启用状态
    可以是 EnabledDisabledEnterprise(从企业继承)。
    默认值为 Enterprise

Creating security managers for your organization

The security manager role grants members of your organization the ability to manage security settings and alerts across your organization. Security managers can view data for all repositories in your organization through security overview.

To learn more about the security manager role, see 管理组织中的安全管理员.

To assign the security manager role, see 使用组织角色.