Security configurations on GitHub Enterprise Server
Security configurations are collections of enablement settings for GitHub's security features that you can apply to any repository within an organization. When you create a security configuration, you can choose different enablement settings to meet the specific security needs of a group of repositories.
Feature availability
Feature availability in security configurations is determined as follows:
- You will only see features in the UI if they were installed by a site administrator on your GitHub Enterprise Server instance.
- Advanced Security features will only be visible if your enterprise or GitHub Enterprise Server instance holds a GitHub Advanced Security license.
- Certain features, like Dependabot security updates and code scanning default setup, also require that GitHub Actions is installed on the GitHub Enterprise Server instance.
Enforcement of security configurations
When you apply a security configuration, you can choose to enforce it, meaning users cannot change the enablement status of features included in the configuration.
If a user in your organization attempts to change the enablement status of a feature in an enforced configuration using the REST API, the API call will appear to succeed, but no enablement statuses will change.
Some situations can break the enforcement of security configurations for a repository. For example, the enablement of code scanning will not apply to a repository if:
- GitHub Actions is initially enabled on the repository, but is then disabled in the repository.
- GitHub Actions is not available for the repository.
- Self-hosted runners with the label
code-scanningare not available. - The languages excluded from code scanning default setup are changed at the repository level.
Next steps
To learn how to create custom security configurations, see Creating a custom security configuration.