提示
This article is part of a series on adopting GitHub Advanced Security at scale. For the previous article in this series, see Phase 2: Preparing to enable at scale.
About pilot programs
We recommend you identify a few high-impact projects or teams to use in a pilot rollout of GHAS. This allows an initial group within your company to get familiar with GHAS and builds a solid foundation for GHAS before you roll it out to the remainder of your company.
The steps in this phase will help you enable GHAS on your enterprise, begin using its features, and review your results. If you’re working with GitHub Professional Services, they can provide additional assistance through this process through onboarding sessions, GHAS workshops, and troubleshooting as needed.
Before you start your pilot projects, we recommend that you schedule some meetings for your teams, such as an initial meeting, midpoint review, and a wrap-up session when the pilot is complete. These meetings will help you all make adjustments as needed and ensure your teams are prepared and supported to complete the pilot successfully.
Piloting all GitHub Advanced Security features
可以使用 GitHub-recommended security configuration 快速大规模启用安全功能,这是一组可应用于组织中存储库的安全启用设置。 然后,可以使用 global settings 在组织级别进一步自定义 Advanced Security 功能。 请参阅“关于批量启用安全功能”。
Piloting code scanning
You can quickly configure default setup for code scanning across multiple repositories in an organization using security overview. For more information, see Configuring default setup for code scanning at scale.
You can also choose to enable code scanning for all repositories in an organization, but we recommend configuring code scanning on a subset of high-impact repositories for your pilot program.
对于某些语言或生成系统,可能需要改为为 code scanning 配置高级设置,以便全面了解代码库。 但是,高级设置需要在配置、自定义和维护上投入更多工作量,因此我们建议首先启用默认设置。
If your company wants to use other third-party code analysis tools with GitHub code scanning, you can use actions to run those tools within GitHub. Alternatively, you can upload results, which are generated by third-party tools as SARIF files, to code scanning. For more information, see 与代码扫描集成.
Piloting secret scanning
GitHub scans repositories for known types of secrets, to prevent fraudulent use of secrets that were committed accidentally.
You need to enable secret scanning and push protection for each pilot project. You can do this with the GitHub-recommended security configuration, or you can create a custom security configuration. For more information, see Applying the GitHub-recommended security configuration in your organization and Creating a custom security configuration.
If you plan to configure a link to a resource in the message that's displayed when a developer attempts to push a blocked secret, now would be a good time to test and start to refine the guidance that you plan to make available.
Start to review activity using the push protection metrics page in security overview. For more information, see 查看机密扫描推送保护的指标.
If you have collated any custom patterns specific to your enterprise, especially any related to the projects piloting secret scanning, you can configure those. For more information, see 为机密扫描定义自定义模式.
To learn how to view and close alerts for secrets checked into your repository, see 管理来自机密扫描的警报.
提示
For the next article in this series, see Phase 4: Create internal documentation.