Security configurations

Security configurations are collections of security settings that you can apply to repositories at scale.

누가 이 기능을 사용할 수 있나요?

Organization owners, enterprise owners, security managers, and organization members with the admin role

이 문서의 내용

Security configurations은(는) 조직 내의 모든 리포지토리에 적용할 수 있는 GitHub의 보안 기능에 대한 사용 설정 컬렉션입니다.

There are two types of security configuration:

Each repository can only have one security configuration applied to it.

You can create and manage security configurations using the REST API. For more information, see 구성.

참고 항목

If your enterprise uses Enterprise Managed Users, please note that enterprise-level security configurations are not automatically rolled out to user namespace repositories. There are some additional secret scanning settings that can be applied to user namespace repositories within the enteprise, but you cannot apply enterprise-level security configurations to this type of user-owner repository.

The GitHub-recommended security configuration offers a number of benefits:

  • It is created and managed by GitHub's subject matter experts.
  • It is the quickest security configuration to apply to all repositories in your organization.
  • It is designed to effectively secure both low- and high-impact repositories.

We recommend that organizations and enterprises initially apply the GitHub-recommended security configuration.

The GitHub-recommended security configuration includes GitHub Code Security and GitHub Secret Protection features. Applying the configuration to private and internal repositories in your organization will incur usage costs or require licenses.

Custom security configurations

If you are familiar with GitHub's security products, and you have specific security needs that the GitHub-recommended security configuration can't meet, you can create and apply custom security configurations. With custom security configurations, you can:

  • Edit the enablement settings for different security features
  • Create several configurations for repositories to reflect their different levels of visibility, risk tolerance, and impact

You can also choose whether or not you want to include GitHub Code Security or GitHub Secret Protection features in a configuration. If you do, keep in mind that these features incur usage costs (or require GitHub Advanced Security licenses) when applied to private and internal repositories.

Enforcement of security configurations

When you apply a security configuration, you can choose to enforce it, meaning users cannot change the enablement status of features included in the configuration.

If a user in your organization or enterprise attempts to change the enablement status of a feature in an enforced configuration using the REST API, the API call will appear to succeed, but no enablement statuses will change.

Some situations can break the enforcement of security configurations for a repository. For example, the enablement of code scanning will not apply to a repository if:

  • GitHub Actions is initially enabled on the repository, but is then disabled in the repository.
  • GitHub Actions is not available for the repository.
  • The languages excluded from code scanning default setup are changed at the repository level.

Next steps

To start securing repositories in your organization with the GitHub-recommended security configuration, see 조직에서 GitHub 권장 보안 구성 적용.

Alternatively, to start securing repositories in your organization with custom security configurations, see 사용자 정의 보안 구성 생성하기.