Créer une configuration de sécurité personnalisée pour votre entreprise

Créez une custom security configuration pour répondre aux besoins de sécurité spécifiques de votre entreprise.

Qui peut utiliser cette fonctionnalité ?

Administrateurs du site

Dans cet article

About custom security configurations

With custom security configurations, you can create collections of enablement settings for GitHub's security products to meet the specific security needs of your enterprise. For example, you can create a different custom security configuration for each organization or group of organizations to reflect their unique security requirements and compliance obligations.

When creating a security configuration, keep in mind that:

  • Only features installed by a site administrator on your GitHub Enterprise Server instance will appear in the UI.
  • GitHub Advanced Security features will only be visible if your enterprise or GitHub Enterprise Server instance holds a GitHub Advanced Security license.
  • Certain features, like Dependabot security updates and code scanning default setup, also require that GitHub Actions is installed on the GitHub Enterprise Server instance.

Remarque

The enablement status of some security features is dependent on other, higher-level security features. For example, disabling secret scanning alerts will also disable non-provider patterns and push protection.

  1. In the top-right corner of GitHub Enterprise Server, click your profile picture, then click Enterprise settings.

    Screenshot of the dropdown menu shown when you click your profile picture on GitHub Enterprise Server. The "Enterprise settings" option is outlined.

  2. On the left side of the page, in the enterprise account sidebar, click Settings.

  3. In the left sidebar, click Code security.

  4. In the "Configurations" section, click New configuration.

  5. To help identify your custom security configuration and clarify its purpose on the "Configurations" page, name your configuration and create a description.

  6. In the "prodname_GHAS features" row, choose whether to include or exclude prodname_GHAS (GHAS) features. If you plan to apply a custom security configuration with GHAS features to private repositories, you must have available GHAS licenses for each active unique committer to those repositories, or the features will not be enabled. See About billing for GitHub Advanced Security.

  7. In the "Dependency graph and Dependabot" section of the security settings table, choose whether you want to enable, disable, or keep the existing settings for the following security features:

    Remarque

    Dependabot auto-triage rules are not available to set at enterprise level. If an enterprise-level security configuration is applied to a repository, it can still have Dependabot auto-triage rules enabled, but you can't turn off these rules at the level of the enterprise.

    Remarque

    You cannot manually change the enablement setting for the dependency graph. This setting is installed and managed by a site administrator at the instance level.

  8. In the "Code scanning" section of the security settings table, choose whether you want to enable, disable, or keep the existing settings for code scanning default setup. To learn about default setup, see Configuring default setup for code scanning.

  9. In the "Secret scanning" section of the security settings table, choose whether you want to enable, disable, or keep the existing settings for the following security features:

  10. Optionally, in the "Policy" section, you can choose to automatically apply the security configuration to newly created repositories depending on their visibility. Select the None dropdown menu, then click Public, or Private and internal, or All repositories.

  11. Optionally, in the "Policy" section, you can enforce the configuration and block repository owners from changing features that are enabled or disabled by the configuration (features that are not set aren't enforced). Next to "Enforce configuration", select Enforce from the dropdown menu.

    Remarque

    If a user in your enterprise attempts to change the enablement status of a feature in an enforced configuration using the REST API, the API call will appear to succeed, but no enablement statuses will change.

    Some situations can break the enforcement of security configurations for a repository. For example, the enablement of code scanning will not apply to a repository if:

    • GitHub Actions is initially enabled on the repository, but is then disabled in the repository.
    • GitHub Actions required by code scanning configurations are not available in the repository.
    • Self-hosted runners with the label code-scanning are not available.
    • The definition for which languages should not be analyzed using code scanning default setup is changed.

  12. To finish creating your custom security configuration, click Save configuration.

Next steps

To optionally configure additional secret scanning settings for the enterprise, see Configuring additional secret scanning settings for your enterprise.

To apply your custom security configuration to repositories in your organization, see Applying a custom security configuration.

To learn how to edit your custom security configuration, see Editing a custom security configuration.