Creating a custom security configuration

About custom security configurations

With custom security configurations, you can create collections of enablement settings for GitHub's security products to meet the specific security needs of your organization. For example, you can create a different custom security configuration for each organization or group of organizations to reflect their unique security requirements and compliance obligations.

You can also choose whether or not you want to include GitHub Code Security or GitHub Secret Protection features in a configuration.

If you do, keep in mind that these features incur usage costs (or require GitHub Advanced Security licenses) when applied to private and internal repositories. For more information, see Sobre GitHub Segurança Avançada.

When creating a security configuration, keep in mind that:

• Only features installed by a site administrator on your GitHub Enterprise Server instance will appear in the UI.
• Some features will only be visible if your organization or GitHub Enterprise Server instance has purchased the relevant GitHub Advanced Security product (GitHub Code Security or GitHub Secret Protection).
• Certain features, like Dependabot security updates and code scanning default setup, also require that GitHub Actions is installed on the GitHub Enterprise Server instance.

Creating a Secret Protection and Code Security configuration

1. No canto superior direito de GitHub, clique na foto de perfil e clique em Your organizations.

2. No nome da organização, clique em Settings. Caso não consiga ver a guia "Configurações", selecione o menu suspenso , clique em Configurações.

   

3. Na seção "Segurança" da barra lateral, selecione o menu suspenso Advanced Security e clique em Configurações.

4. In the "Security configurations" section, click New configuration.

5. To configure groups of security features for your repositories, click Custom configuration.

6. To help identify your custom security configuration and clarify its purpose on the "Security configurations" page, name your configuration and create a description.

7. Optionally, enable "Secret Protection", a paid feature for private repositories. Enabling Secret Protection enables alerts for secret scanning. In addition, you can choose whether to enable, disable, or keep the existing settings for the following secret scanning features:

   • Validity checks. To learn more about validity checks for partner patterns, see Avaliar alertas da verificação de segredo. Your site administrator must enable validity checks before you can use this feature. See Configuring secret scanning for your appliance.
   • Non-provider patterns. To learn more about scanning for non-provider patterns, see Padrões de varredura de segredos com suporte and Exibindo e filtrando alertas do escaneamento de segredos.
   • Push protection. To learn about push protection, see Push protection.
   • Bypass privileges. By assigning bypass privileges or exemptions, selected actors can bypass or skip push protection. There is a review and approval process for all other contributors. See Delegated bypass for push protection.
   • Prevent direct alert dismissals. To learn more, see Enabling delegated alert dismissal for secret scanning.

8. Optionally, enable "Code Security", a paid feature for private repositories. You can choose whether to enable, disable, or keep the existing settings for the following code scanning features:

   • Default setup. To learn more about default setup, see Configuring default setup for code scanning.

     Observação

     Para criar uma configuração que você pode aplicar a todos os repositórios, independentemente da configuração atual do code scanning, escolha "Enabled with advanced setup allowed". Isso habilita a configuração padrão apenas em repositórios em que a análise de CodeQL não é executada ativamente. Opção disponível em GitHub Enterprise Server 3.19.

   • Runner type. If you want to target specific runners for code scanning, you can choose to use custom-labeled runners at this step. See Configuring default setup for code scanning.
   • Prevent direct alert dismissals. To learn more, see Enabling delegated alert dismissal for code scanning.

9. Still under "Code Security", in the "Dependency scanning" table, choose whether you want to enable, disable, or keep the existing settings for the following dependency scanning features:

   • Dependency graph. To learn about dependency graph, see Dependency graph.

     Dica

     When both "Code Security" and Dependency graph are enabled, this enables dependency review, see Dependency review.

   • Dependabot alerts. To learn about Dependabot, see Dependabot alerts.
   • Security updates. To learn about security updates, see Dependabot security updates.
   • Prevent direct alert dismissals. To learn more, see Habilitando a dispensação de alertas delegada para Dependabot.

10. Optionally, in the "Policy" section, you can use additional options to control how the configuration is applied:

    • Use as default for newly created repositories. Select the None dropdown menu, then click Public, Private and internal, or All repositories.

      Observação

      O security configuration padrão de uma organização é aplicado automaticamente apenas a novos repositórios criados dentro da organização. Se um repositório for transferido para sua organização, você ainda precisará aplicar um security configuration apropriado ao repositório manualmente.

    • Enforce configuration. Block repository owners from changing features that are enabled or disabled by the configuration (features that are not set aren't enforced). Select Enforce from the dropdown menu.

    Observação

    Algumas situações podem interromper a aplicação de security configurations. Confira Security configuration enforcement.

11. Para concluir a criação do seu custom security configuration, clique em Salvar configuração.

Creating a GitHub Advanced Security configuration

1. No canto superior direito de GitHub, clique na foto de perfil e clique em Your organizations.

2. No nome da organização, clique em Settings. Caso não consiga ver a guia "Configurações", selecione o menu suspenso , clique em Configurações.

   

3. Na seção "Segurança" da barra lateral, selecione o menu suspenso Advanced Security e clique em Configurações.

4. In the "Security configurations" section, click New configuration.

5. To help identify your custom security configuration and clarify its purpose on the "New configuration" page, name your configuration and create a description.

6. In the "GitHub Advanced Security features" row, choose whether to include or exclude GitHub Advanced Security (GHAS) features.

7. In the "Secret scanning" table, choose whether you want to enable, disable, or keep the existing settings for the following security features:

   • Alerts. To learn about alertas de escaneamento de segredos, see Secret scanning.
   • Validity checks. To learn more about validity checks for partner patterns, see Avaliar alertas da verificação de segredo.
   • Non-provider patterns. To learn more about scanning for non-provider patterns, see Padrões de varredura de segredos com suporte and Exibindo e filtrando alertas do escaneamento de segredos.
   • Push protection. To learn about push protection, see Push protection.
   • Bypass privileges. By assigning bypass privileges or exemptions, selected actors can bypass or skip push protection. There is a review and approval process for all other contributors. See Delegated bypass for push protection.
   • Prevent direct alert dismissals. To learn more, see Enabling delegated alert dismissal for secret scanning.

8. In the "Code scanning" table, choose whether you want to enable, disable, or keep the existing settings for code scanning default setup.

   • Default setup. To learn more about default setup, see Configuring default setup for code scanning.

     Observação

     Para criar uma configuração que você pode aplicar a todos os repositórios, independentemente da configuração atual do code scanning, escolha "Enabled with advanced setup allowed". Isso habilita a configuração padrão apenas em repositórios em que a análise de CodeQL não é executada ativamente. Opção disponível em GitHub Enterprise Server 3.19.

   • Runner type. If you want to target specific runners for code scanning, you can choose to use custom-labeled runners at this step. See Configuring default setup for code scanning.
   • Prevent direct alert dismissals. To learn more, see Enabling delegated alert dismissal for code scanning.

9. In the "Dependency scanning" table, choose whether you want to enable, disable, or keep the existing settings for the following dependency scanning features:

   • Dependency graph. To learn about dependency graph, see Dependency graph.

     Dica

     When both "GitHub Advanced Security" and Dependency graph are enabled, this enables dependency review, see Dependency review.

   • Dependabot alerts. To learn about Dependabot, see Dependabot alerts.
   • Security updates. To learn about security updates, see Dependabot security updates.
   • Prevent direct alert dismissals. To learn more, see Habilitando a dispensação de alertas delegada para Dependabot.

10. Optionally, in the "Policy" section, you can use additional options to control how the configuration is applied:

    • Use as default for newly created repositories. Select the None dropdown menu, then click Public, Private and internal, or All repositories.

      Observação

      O security configuration padrão de uma organização é aplicado automaticamente apenas a novos repositórios criados dentro da organização. Se um repositório for transferido para sua organização, você ainda precisará aplicar um security configuration apropriado ao repositório manualmente.

    • Enforce configuration. Block repository owners from changing features that are enabled or disabled by the configuration (features that are not set aren't enforced). Select Enforce from the dropdown menu.

11. Para concluir a criação do seu custom security configuration, clique em Salvar configuração.

Next steps

To apply your custom security configuration to repositories in your organization, see Applying a custom security configuration.

Para saber como editar seu custom security configuration, consulte Editing a custom security configuration.