Applying the GitHub-recommended security configuration in your organization

Secure your code with the security enablement settings created, managed, and recommended by GitHub.

Who can use this feature?

Organization owners and security managers can manage security configurations and global settings for an organization.

In this article

Note: Security configurations and global settings are in beta and subject to change. To provide feedback on these features, see the feedback discussion.

To learn how to opt out of security configurations and global settings, see "Exploring early access releases with feature preview."

The GitHub-recommended security configuration is a collection of enablement settings for GitHub's security features that is created and maintained by subject matter experts at GitHub. The GitHub-recommended security configuration is designed to successfully reduce the security risks for low- and high-impact repositories. We recommend you apply this configuration to all the repositories in your organization.

  1. In the upper-right corner of GitHub.com, select your profile photo, then click Your organizations.

    Screenshot of the dropdown menu under @octocat's profile picture. "Your organizations" is outlined in dark orange.

  2. Under your organization name, click Settings. If you cannot see the "Settings" tab, select the dropdown menu, then click Settings.

    Screenshot of the tabs in an organization's profile. The "Settings" tab is outlined in dark orange.

  3. In the "Security" section of the sidebar, select the Code security dropdown menu, then click Configurations.

  4. In the "GitHub recommended" row of the configurations table for your organization, select the Apply to dropdown menu, then click All repositories or All repositories without configurations.

  5. Optionally, in the confirmation dialog, you can choose to automatically apply the security configuration to newly created repositories depending on their visibility. Select the None dropdown menu, then click Public, or Private and internal, or both.

    Note: The default security configuration for an organization is only automatically applied to new repositories created in your organization. If a repository is transferred into your organization, you will still need to apply an appropriate security configuration to the repository manually.

  6. To apply the security configuration, click Apply.

  1. In the upper-right corner of GitHub.com, select your profile photo, then click Your organizations.

    Screenshot of the dropdown menu under @octocat's profile picture. "Your organizations" is outlined in dark orange.

  2. Under your organization name, click Settings. If you cannot see the "Settings" tab, select the dropdown menu, then click Settings.

    Screenshot of the tabs in an organization's profile. The "Settings" tab is outlined in dark orange.

  3. In the "Security" section of the sidebar, select the Code security dropdown menu, then click Configurations.

  4. Optionally, in the "Apply configurations" section, filter the view to find the repositories you would like to apply the GitHub-recommended security configuration to. To learn how to filter the repository table, see "Filtering repositories in your organization using the repository table."

  5. In the repository table, select repositories with one of three methods:

    • Select each individual repository you would like to apply the security configuration to.
    • To select all repositories on the current page of the repository table, select NUMBER repositories.
    • After selecting NUMBER repositories, to select all repositories in your organization that match your filter criteria, click Select all.

  6. Select the Apply configuration dropdown menu, then click GitHub recommended.

  7. Optionally, in the confirmation dialog, you can choose to automatically apply the security configuration to newly created repositories depending on their visibility. Select the None dropdown menu, then click Public, or Private and internal, or both.

    Note: The default security configuration for an organization is only automatically applied to new repositories created in your organization. If a repository is transferred into your organization, you will still need to apply an appropriate security configuration to the repository manually.

  8. To apply the security configuration, click Apply.

Next steps

After you apply the GitHub-recommended security configuration, you can customize your organization-level security settings with global settings. See "Configuring global security settings for your organization."

You may encounter an error when you attempt to apply a security configuration. For information on common errors, see "Troubleshooting security configurations."