Configuring global security settings for your organization

Customize GitHub Advanced Security features and create security managers to strengthen the security of your organization.

Who can use this feature?

Organization owners and security managers can manage security configurations and global settings for an organization.

In this article

Note: Security configurations and global settings are in beta and subject to change. To provide feedback on these features, see the feedback discussion.

To learn how to opt out of security configurations and global settings, see "Exploring early access releases with feature preview."

About global settings

Alongside security configurations, which determine repository-level security settings, you should also configure global settings for your organization. Global settings apply to your entire organization, and can customize GitHub Advanced Security features based on your needs. You can also create security managers on the global settings page to monitor and maintain your organization's security.

Accessing the global settings page for your organization

  1. In the upper-right corner of GitHub.com, select your profile photo, then click Your organizations.

    Screenshot of the dropdown menu under @octocat's profile picture. "Your organizations" is outlined in dark orange.

  2. Under your organization name, click Settings. If you cannot see the "Settings" tab, select the dropdown menu, then click Settings.

    Screenshot of the tabs in an organization's profile. The "Settings" tab is outlined in dark orange.

  3. In the "Security" section of the sidebar, select the Code security dropdown menu, then click Global settings.

Configuring global Dependabot settings

Dependabot consists of three different features that help you manage your dependencies:

  • Dependabot alerts—inform you about vulnerabilities in the dependencies that you use in your repository.
  • Dependabot security updates—automatically raise pull requests to update the dependencies you use that have known security vulnerabilities.
  • Dependabot version updates—automatically raise pull requests to keep your dependencies up-to-date.

You can customize several global settings for Dependabot:

Creating and managing Dependabot auto-triage rules

You can create and manage Dependabot auto-triage rules to instruct Dependabot to automatically dismiss or snooze Dependabot alerts, and even open pull requests to attempt to resolve them. To configure Dependabot auto-triage rules, click , then create or edit a rule:

  • You can create a new rule by clicking New rule, then entering the details for your rule and clicking Create rule.
  • You can edit an existing rule by clicking , then making the desired changes and clicking Save rule.

For more information on Dependabot auto-triage rules, see "About Dependabot auto-triage rules" and "Customizing auto-triage rules to prioritize Dependabot alerts."

Grouping Dependabot security updates

Dependabot can group all automatically suggested security updates into a single pull request to reduce noise. To enable grouped security updates, select Grouped security updates. For more information about grouped updates and customization options, see "Configuring Dependabot security updates."

Enabling Dependabot on GitHub-hosted runners

You can allow Dependabot to use GitHub-hosted runners and the Dependabot action to perform dependency updates. To enable Dependabot for GitHub-hosted runners on all repositories in your organization, click Enable all. To automatically enable Dependabot for GitHub-hosted runners on new repositories in your organization, select Automatically enable for new repositories. For more information, see "About Dependabot on GitHub Actions runners."

Granting Dependabot access to private repositories

To update private dependencies of repositories in your organization, Dependabot needs access to those repositories. To grant Dependabot access to the desired private repository, scroll down to the "Grant Dependabot access to private repositories" section, then use the search bar to find and select the desired repository. Be aware that granting Dependabot access to a repository means all users in your organization will have access to the contents of that repository through Dependabot updates. For more information about the supported ecosystems for private repositories, see "About Dependabot version updates."

Configuring global code scanning settings

Code scanning is a feature that you use to analyze the code in a GitHub repository to find security vulnerabilities and coding errors. Any problems identified by the analysis are shown in your repository.

You can customize several global settings for code scanning:

Recommending the extended query suite for default setup

Code scanning offers specific groups of CodeQL queries, called CodeQL query suites, to run against your code. By default, the "Default" query suite is run. GitHub also offers the "Extended" query suite, which contains all the queries in the "Default" query suite, plus additional queries with lower precision and severity. To suggest the "Extended" query suite across your organization, select Recommend the extended query suite for repositories enabling default setup. For more information on built-in query suites for CodeQL default setup, see "CodeQL query suites."

Setting a failure threshold for code scanning checks in pull requests

You can choose the severity levels at which code scanning check runs on pull requests will fail. To choose a security severity level, select the Security: SECURITY-SEVERITY-LEVEL dropdown menu, then click a security severity level. To choose an alert severity level, select the OTHER: ALERT-SEVERITY-LEVEL dropdown menu, then click an alert severity level. For more information, see "About code scanning alerts."

Configuring global secret scanning settings

Secret scanning is a security tool that scans the entire Git history of your repository, as well as issues, pull requests, and discussions in that repository, for leaked secrets that have been accidentally committed, such as tokens or private keys.

You can customize several global settings for secret scanning:

To provide context for developers when secret scanning blocks a commit, you can display a link with more information on why the commit was blocked. To include a link, select Add a resource link in the CLI and the web UI when a commit is blocked. In the text box, type the link to the desired resource, then click Save.

Creating security managers for your organization

The security manager role grants members of your organization the ability to manage security settings and alerts across your organization. To grant all members of a team the security manager role, in the "Search for teams" text box, type the name of the desired team. In the dropdown menu that appears, click the team, then click I understand, grant security manager permissions.

Security managers can view data for all repositories in your organization through security overview. To learn more about the security manager role, see "Managing security managers in your organization."