About custom security configurations
We recommend securing your organization with the GitHub-recommended security configuration, then evaluating the security findings on your repositories before configuring custom security configurations. For more information, see Applying the GitHub-recommended security configuration in your organization.
With custom security configurations, you can create collections of enablement settings for GitHub's security products to meet the specific security needs of your organization. For example, you can create a different custom security configuration for each group of repositories to reflect their different levels of visibility, risk tolerance, and impact.
You can also choose whether or not you want to include GitHub Code Security or GitHub Secret Protection features in a configuration. If you do, keep in mind that these features incur usage costs (or require GitHub Advanced Security licenses) when applied to private and internal repositories. For more information, see 关于 GitHub 高级安全性.
重要
某些设置的顺序和名称可能会因你使用的许可证不同而有所差异,这取决于使用的是最初的 GitHub Advanced Security 产品的许可证,还是两个新产品(GitHub Code Security 和 GitHub Secret Protection)的许可证。 See Creating a GitHub Advanced Security configuration or Creating a Secret Protection and Code Security configuration.
Creating a Secret Protection and Code Security configuration
-
在 GitHub 的右上角,单击个人资料图片,然后单击“ Your organizations”****。
-
在组织名称下,单击 “Settings”****。 如果看不到“设置”选项卡,请选择“”下拉菜单,然后单击“设置”********。
-
在边栏的“Security”部分中,选择“ Advanced Security”下拉菜单,然后单击“Configurations”********。
-
In the "Security configurations" section, click New configuration.
-
To help identify your custom security configuration and clarify its purpose on the "Security configurations" page, name your configuration and create a description.
-
Optionally, enable "Secret Protection", a paid feature for private and internal repositories. Enabling Secret Protection enables alerts for secret scanning. In addition, you can choose whether to enable, disable, or keep the existing settings for the following secret scanning features:
- Validity checks. To learn more about validity checks for partner patterns, see 评估来自机密扫描的警报.
- Non-provider patterns. To learn more about scanning for non-provider patterns, see 支持的机密扫描模式 and 查看和筛选机密扫描警报.
- Scan for generic passwords. To learn more, see 使用 Copilot 机密扫描负责任地检测通用机密.
- Push protection. To learn about push protection, see 关于推送保护.
- Bypass privileges. By assigning bypass privileges, selected organization members can bypass push protection, and there is a review and approval process for all other contributors. See 关于推送保护委派绕过.
- Prevent direct alert dismissals. To learn more, see 为机密扫描启用委派的警报消除.
-
Optionally, enable "Code Security", a paid feature for private and internal repositories. You can choose whether to enable, disable, or keep the existing settings for the following code scanning features:
- Default setup. To learn more about default setup, see 配置代码扫描的默认设置.
注意
要创建可应用于所有仓库(无论当前 code scanning 设置如何)的配置,请选择“Enabled with advanced setup allowed”。 此设置仅在未积极运行 CodeQL 分析的仓库中启用默认设置。 GitHub Enterprise Server 3.19 中提供的选项。
- Runner type. If you want to target specific runners for code scanning, you can choose to use custom-labeled runners at this step. See 配置代码扫描的默认设置.
- Prevent direct alert dismissals. To learn more, see 为代码扫描启用委派的警报消除.
- Default setup. To learn more about default setup, see 配置代码扫描的默认设置.
-
Still under "Code Security", in the "Dependency scanning" table, choose whether you want to enable, disable, or keep the existing settings for the following dependency scanning features:
- Dependency graph. To learn about dependency graph, see 关于依赖关系图.
提示
When both "Code Security" and Dependency graph are enabled, this enables dependency review, see 关于依赖项评审.
- Automatic dependency submission. To learn about automatic dependency submission, see 为存储库配置自动依赖项提交.
- Dependabot alerts. To learn about Dependabot, see 关于 Dependabot 警报.
- Security updates. To learn about security updates, see 关于 Dependabot 安全更新.
- Prevent direct alert dismissals. To learn more, see 为 Dependabot 启用委托的警报关闭.
- Dependency graph. To learn about dependency graph, see 关于依赖关系图.
-
For "Private vulnerability reporting", choose whether you want to enable, disable, or keep the existing settings. To learn about private vulnerability reporting, see 为存储库配置私人漏洞报告.
-
Optionally, in the "Policy" section, you can use additional options to control how the configuration is applied:
- Use as default for newly created repositories. Select the None dropdown menu, then click Public, Private and internal, or All repositories.
注意
组织的默认 security configuration 仅自动应用到组织内新创建的存储库。 如果将存储库传输到组织,则仍需将适当的 security configuration 手动应用到存储库。
- Enforce configuration. Block repository owners from changing features that are enabled or disabled by the configuration (features that are not set aren't enforced). Select Enforce from the dropdown menu.
- Use as default for newly created repositories. Select the None dropdown menu, then click Public, Private and internal, or All repositories.
-
To finish creating your custom security configuration, click Save configuration.
注意
如果你企业中的用户尝试使用 REST API 更改强制配置中某个功能的启用状态,则 API 调用将似乎会成功,但启用状态不会发生更改。
在某些情况下,可能会中断存储库的 security configurations 强制实施。 例如,在以下情况下,code scanning 的启用将不适用于存储库:
- GitHub Actions 最初在存储库上启用,但在存储库中禁用。
- code scanning 配置所需的 GitHub Actions 在存储库中不可用。
- 不应使用 code scanning 默认设置分析语言的定义已更改。
Creating a GitHub Advanced Security configuration
-
在 GitHub 的右上角,单击个人资料图片,然后单击“ Your organizations”****。
-
在组织名称下,单击 “Settings”****。 如果看不到“设置”选项卡,请选择“”下拉菜单,然后单击“设置”********。
-
在边栏的“Security”部分中,选择“ Advanced Security”下拉菜单,然后单击“Configurations”********。
-
In the "Security configurations" section, click New configuration.
-
To help identify your custom security configuration and clarify its purpose on the "New configuration" page, name your configuration and create a description.
-
In the "GitHub Advanced Security features" row, choose whether to include or exclude GitHub Advanced Security (GHAS) features.
-
In the "Secret scanning" table, choose whether you want to enable, disable, or keep the existing settings for the following security features:
- Validity checks. To learn more about validity checks for partner patterns, see 评估来自机密扫描的警报.
- Non-provider patterns. To learn more about scanning for non-provider patterns, see 支持的机密扫描模式 and 查看和筛选机密扫描警报.
- Scan for generic passwords. To learn more, see 使用 Copilot 机密扫描负责任地检测通用机密.
- Push protection. To learn about push protection, see 关于推送保护.
- Bypass privileges. By assigning bypass privileges, selected organization members can bypass push protection, and there is a review and approval process for all other contributors. See 关于推送保护委派绕过.
- Prevent direct alert dismissals. To learn more, see 为机密扫描启用委派的警报消除.
-
In the "Code scanning" table, choose whether you want to enable, disable, or keep the existing settings for code scanning default setup.
- Default setup. To learn more about default setup, see 配置代码扫描的默认设置.
注意
要创建可应用于所有仓库(无论当前 code scanning 设置如何)的配置,请选择“Enabled with advanced setup allowed”。 此设置仅在未积极运行 CodeQL 分析的仓库中启用默认设置。 GitHub Enterprise Server 3.19 中提供的选项。
- Runner type. If you want to target specific runners for code scanning, you can choose to use custom-labeled runners at this step. See 配置代码扫描的默认设置.
- Prevent direct alert dismissals. To learn more, see 为代码扫描启用委派的警报消除.
- Default setup. To learn more about default setup, see 配置代码扫描的默认设置.
-
In the "Dependency scanning" table, choose whether you want to enable, disable, or keep the existing settings for the following dependency scanning features:
- Dependency graph. To learn about dependency graph, see 关于依赖关系图.
提示
When both "GitHub Advanced Security" and Dependency graph are enabled, this enables dependency review, see 关于依赖项评审.
- Automatic dependency submission. To learn about automatic dependency submission, see 为存储库配置自动依赖项提交.
- Dependabot alerts. To learn about Dependabot, see 关于 Dependabot 警报.
- Security updates. To learn about security updates, see 关于 Dependabot 安全更新.
- Prevent direct alert dismissals. To learn more, see 为 Dependabot 启用委托的警报关闭.
- Dependency graph. To learn about dependency graph, see 关于依赖关系图.
-
For "Private vulnerability reporting", choose whether you want to enable, disable, or keep the existing settings. To learn about private vulnerability reporting, see 为存储库配置私人漏洞报告.
-
Optionally, in the "Policy" section, you can use additional options to control how the configuration is applied:
- Use as default for newly created repositories. Select the None dropdown menu, then click Public, Private and internal, or All repositories.
注意
组织的默认 security configuration 仅自动应用到组织内新创建的存储库。 如果将存储库传输到组织,则仍需将适当的 security configuration 手动应用到存储库。
- Enforce configuration. Block repository owners from changing features that are enabled or disabled by the configuration (features that are not set aren't enforced). Select Enforce from the dropdown menu.
- Use as default for newly created repositories. Select the None dropdown menu, then click Public, Private and internal, or All repositories.
-
To finish creating your custom security configuration, click Save configuration.
Next steps
To apply your custom security configuration to repositories in your organization, see Applying a custom security configuration.
若要了解如何编辑 custom security configuration,请参阅 Editing a custom security configuration。