| title | Creating a custom security configuration | |||||||
|---|---|---|---|---|---|---|---|---|
| shortTitle | Create custom configuration | |||||||
| intro | Build a {% data variables.product.prodname_custom_security_configuration %} to meet the specific security needs of repositories in your organization. | |||||||
| permissions | {% data reusables.permissions.security-org-enable %} | |||||||
| versions |
|
|||||||
| redirect_from |
|
|||||||
| contentType | how-tos | |||||||
| category |
|
With {% data variables.product.prodname_custom_security_configurations %}, you can create collections of enablement settings for {% data variables.product.company_short %}'s security products to meet the specific security needs of your organization. For example, you can create a different {% data variables.product.prodname_custom_security_configuration %} for each organization or group of organizations to reflect their unique security requirements and compliance obligations.
You can also choose whether or not you want to include {% data variables.product.prodname_GH_code_security %} or {% data variables.product.prodname_GH_secret_protection %} features in a configuration.
If you do, keep in mind that these features incur usage costs (or require {% data variables.product.prodname_GHAS %} licenses) when applied to private and internal repositories. For more information, see AUTOTITLE.
{% ifversion ghes %}
When creating a security configuration, keep in mind that:
- Only features installed by a site administrator on your {% data variables.product.prodname_ghe_server %} instance will appear in the UI.
- Some features will only be visible if your organization or {% data variables.product.prodname_ghe_server %} instance has purchased the relevant {% data variables.product.prodname_GHAS %} product ({% data variables.product.prodname_GH_code_security %} or {% data variables.product.prodname_GH_secret_protection %}).
- Certain features, like {% data variables.product.prodname_dependabot_security_updates %} and {% data variables.product.prodname_code_scanning %} default setup, also require that {% data variables.product.prodname_actions %} is installed on the {% data variables.product.prodname_ghe_server %} instance.
{% endif %}
{% data reusables.advanced-security.bundled-vs-unbundled-ui %} See Creating a {% data variables.product.prodname_GHAS %} configuration or Creating a {% data variables.product.prodname_cs_and_sp %} configuration.
{% data reusables.profile.access_org %} {% data reusables.organizations.org_settings %} {% data reusables.security-configurations.view-configurations-page %}
-
In the "{% data variables.product.prodname_security_configurations_caps %}" section, click New configuration.
-
To configure groups of security features for your repositories, click Custom configuration.
-
To help identify your {% data variables.product.prodname_custom_security_configuration %} and clarify its purpose on the "{% data variables.product.prodname_security_configurations_caps %}" page, name your configuration and create a description.
-
Optionally, enable "{% data variables.product.prodname_secret_protection %}", a paid feature for private {% ifversion ghec %}and internal {% endif %} repositories. Enabling {% data variables.product.prodname_secret_protection %} enables alerts for {% data variables.product.prodname_secret_scanning %}. In addition, you can choose whether to enable, disable, or keep the existing settings for the following {% data variables.product.prodname_secret_scanning %} features:{% ifversion secret-scanning-validity-check-partner-patterns %}
- Validity checks. To learn more about validity checks for partner patterns, see AUTOTITLE.{% ifversion ghes > 3.19 %} Your site administrator must enable validity checks before you can use this feature. See AUTOTITLE.{% endif %}{% endif %}{% ifversion fpt or ghec %}
- Extended metadata. To learn more about extended metadata checks, see About extended metadata checks and AUTOTITLE.
[!NOTE] You can only enable extended metadata checks if validity checks are enabled.{% endif %}
- Non-provider patterns. To learn more about scanning for non-provider patterns, see AUTOTITLE and AUTOTITLE.{% ifversion secret-scanning-ai-generic-secret-detection %}
- Scan for generic passwords. To learn more, see AUTOTITLE.{% endif %}
- Push protection. To learn about push protection, see AUTOTITLE.
- Bypass privileges. By assigning bypass privileges{% ifversion push-protection-org-enterprise-exemptions %} or exemptions{% endif %}, selected actors can bypass{% ifversion push-protection-org-enterprise-exemptions %} or skip{% endif %} push protection. There is a review and approval process for all other contributors. See AUTOTITLE.
- Prevent direct alert dismissals. To learn more, see AUTOTITLE.
-
Optionally, enable "{% data variables.product.prodname_code_security %}", a paid feature for private {% ifversion ghec %}and internal {% endif %} repositories. You can choose whether to enable, disable, or keep the existing settings for the following {% data variables.product.prodname_code_scanning %} features:
- Default setup. To learn more about default setup, see AUTOTITLE. {% data reusables.code-scanning.enable-default-setup-allow-advanced-setup-note %}
- Runner type. If you want to target specific runners for {% data variables.product.prodname_code_scanning %}, you can choose to use custom-labeled runners at this step. See AUTOTITLE.
- Prevent direct alert dismissals. To learn more, see AUTOTITLE.
-
Still under "{% data variables.product.prodname_code_security %}", in the "Dependency scanning" table, choose whether you want to enable, disable, or keep the existing settings for the following dependency scanning features:
- Dependency graph. To learn about dependency graph, see AUTOTITLE.
[!TIP] When both "{% data variables.product.prodname_code_security %}" and Dependency graph are enabled, this enables dependency review, see AUTOTITLE.{%- ifversion maven-transitive-dependencies %}
- Automatic dependency submission. To learn about automatic dependency submission, see AUTOTITLE.{%- endif %}
- {% data variables.product.prodname_dependabot %} alerts. To learn about {% data variables.product.prodname_dependabot %}, see AUTOTITLE.
- Security updates. To learn about security updates, see AUTOTITLE.{% ifversion dependabot-delegated-alert-dismissal %}
- Prevent direct alert dismissals. To learn more, see AUTOTITLE.{% endif %}{% ifversion dependabot-malware-alerts %}
- {% data variables.product.prodname_dependabot_malware_alerts_short_caps %}. To learn more, see AUTOTITLE.{% endif %}{% ifversion fpt or ghec %}
- Dependency graph. To learn about dependency graph, see AUTOTITLE.
-
For "Private vulnerability reporting", choose whether you want to enable, disable, or keep the existing settings. To learn about private vulnerability reporting, see AUTOTITLE.{% endif %}
-
Optionally, in the "Policy" section, you can use additional options to control how the configuration is applied:
- Use as default for newly created repositories. Select the None {% octicon "triangle-down" aria-hidden="true" aria-label="triangle-down" %} dropdown menu, then click Public, Private and internal, or All repositories. {% data reusables.security-configurations.default-configuration-exception-repo-transfers %}
- Enforce configuration. Block repository owners from changing features that are enabled or disabled by the configuration (features that are not set aren't enforced). Select Enforce from the dropdown menu.
{% data reusables.code-scanning.security-configuration-enforcement-edge-cases %}
{% data reusables.code-scanning.save-custom-configuration %}
{% data reusables.profile.access_org %} {% data reusables.organizations.org_settings %} {% data reusables.security-configurations.view-configurations-page %}
- In the "Security configurations" section, click New configuration.
- To help identify your {% data variables.product.prodname_custom_security_configuration %} and clarify its purpose on the "New configuration" page, name your configuration and create a description.
- In the "{% data variables.product.prodname_GHAS %} features" row, choose whether to include or exclude {% data variables.product.prodname_GHAS %} (GHAS) features.
- In the "{% data variables.product.prodname_secret_scanning_caps %}" table, choose whether you want to enable, disable, or keep the existing settings for the following security features:{% ifversion ghes %}
- Alerts. To learn about {% data variables.secret-scanning.alerts %}, see AUTOTITLE.{% endif %} {% ifversion secret-scanning-validity-check-partner-patterns %}
- Validity checks. To learn more about validity checks for partner patterns, see AUTOTITLE.{% endif %}
- Non-provider patterns. To learn more about scanning for non-provider patterns, see AUTOTITLE and AUTOTITLE.{% ifversion secret-scanning-ai-generic-secret-detection %}
- Scan for generic passwords. To learn more, see AUTOTITLE.{% endif %}
- Push protection. To learn about push protection, see AUTOTITLE.
- Bypass privileges. By assigning bypass privileges{% ifversion push-protection-org-enterprise-exemptions %} or exemptions{% endif %}, selected actors can bypass{% ifversion push-protection-org-enterprise-exemptions %} or skip{% endif %} push protection. There is a review and approval process for all other contributors. See AUTOTITLE.
- Prevent direct alert dismissals. To learn more, see AUTOTITLE.
- In the "{% data variables.product.prodname_code_scanning_caps %}" table, choose whether you want to enable, disable, or keep the existing settings for {% data variables.product.prodname_code_scanning %} default setup.
- Default setup. To learn more about default setup, see AUTOTITLE. {% data reusables.code-scanning.enable-default-setup-allow-advanced-setup-note %}
- Runner type. If you want to target specific runners for {% data variables.product.prodname_code_scanning %}, you can choose to use custom-labeled runners at this step. See AUTOTITLE.
- Prevent direct alert dismissals. To learn more, see AUTOTITLE.
- In the "Dependency scanning" table, choose whether you want to enable, disable, or keep the existing settings for the following dependency scanning features:
- Dependency graph. To learn about dependency graph, see AUTOTITLE.
[!TIP] When both "{% data variables.product.prodname_GHAS %}" and Dependency graph are enabled, this enables dependency review, see AUTOTITLE.{%- ifversion maven-transitive-dependencies %}
- Automatic dependency submission. To learn about automatic dependency submission, see AUTOTITLE.{%- endif %}
- {% data variables.product.prodname_dependabot %} alerts. To learn about {% data variables.product.prodname_dependabot %}, see AUTOTITLE.
- Security updates. To learn about security updates, see AUTOTITLE.{% ifversion dependabot-delegated-alert-dismissal %}
- Prevent direct alert dismissals. To learn more, see AUTOTITLE.{% endif %}{% ifversion dependabot-malware-alerts %}
- {% data variables.product.prodname_dependabot_malware_alerts_short_caps %}. To learn more, see AUTOTITLE.{% endif %}{% ifversion fpt or ghec %}
- Dependency graph. To learn about dependency graph, see AUTOTITLE.
- For "Private vulnerability reporting", choose whether you want to enable, disable, or keep the existing settings. To learn about private vulnerability reporting, see AUTOTITLE.{% endif %}
- Optionally, in the "Policy" section, you can use additional options to control how the configuration is applied:
- Use as default for newly created repositories. Select the None {% octicon "triangle-down" aria-hidden="true" aria-label="triangle-down" %} dropdown menu, then click Public, Private and internal, or All repositories. {% data reusables.security-configurations.default-configuration-exception-repo-transfers %}
- Enforce configuration. Block repository owners from changing features that are enabled or disabled by the configuration (features that are not set aren't enforced). Select Enforce from the dropdown menu.
{% data reusables.code-scanning.save-custom-configuration %}
To apply your {% data variables.product.prodname_custom_security_configuration %} to repositories in your organization, see AUTOTITLE.
{% data reusables.security-configurations.edit-configuration-next-step %}