Creating a custom security configuration

Build a custom security configuration to meet the specific security needs of repositories in your organization.

Who can use this feature?

Organization owners and security managers can manage security configurations and global settings for an organization.

In this article

Note: Security configurations and global settings are in beta and subject to change. To provide feedback on these features, see the feedback discussion.

About custom security configurations

We recommend securing your organization with the GitHub-recommended security configuration, then evaluating the security findings on your repositories before configuring custom security configurations. For more information, see "Applying the GitHub-recommended security configuration in your organization."

With custom security configurations, you can create collections of enablement settings for GitHub's security products to meet the specific security needs of your organization. For example, you can create a different custom security configuration for each group of repositories to reflect their different levels of visibility, risk tolerance, and impact.

Creating a custom security configuration

Note: The enablement status of some security features is dependent on other, higher-level security features. For example, disabling dependency graph will also disable Dependabot, vulnerability exposure analysis, and security updates. For security configurations, dependent security features are indicated with indentation and .

  1. In the upper-right corner of GitHub.com, select your profile photo, then click Your organizations.

    Screenshot of the dropdown menu under @octocat's profile picture. "Your organizations" is outlined in dark orange.

  2. Under your organization name, click Settings. If you cannot see the "Settings" tab, select the dropdown menu, then click Settings.

    Screenshot of the tabs in an organization's profile. The "Settings" tab is outlined in dark orange.

  3. In the "Security" section of the sidebar, select the Code security dropdown menu, then click Configurations.

  4. In the "Code security configurations" section, click New configuration.

  5. To help identify your custom security configuration and clarify its purpose on the "Code security configurations" page, name your configuration and create a description.

  6. In the "GitHub Advanced Security features" row, choose whether to include or exclude GitHub Advanced Security (GHAS) features. If you plan to apply a custom security configuration with GHAS features to private repositories, you must have available GHAS licenses for each active unique committer to those repositories, or the features will not be enabled. To learn more about committers and GHAS licensing, see "About billing for GitHub Advanced Security."

  7. In the "Dependency graph" section of the security settings table, choose whether you want to enable, disable, or keep the existing settings for the following security features:

    Note: You cannot manually change the enablement settings for vulnerable function calls. If GitHub Advanced Security features and Dependabot alerts are enabled, vulnerable function calls is also enabled. Otherwise, it is disabled.

  8. In the "Code scanning" section of the security settings table, choose whether you want to enable, disable, or keep the existing settings for code scanning default setup. To learn about default setup, see "Configuring default setup for code scanning."

  9. In the "Secret scanning" section of the security settings table, choose whether you want to enable, disable, or keep the existing settings for the following security features:

  10. In the "Private vulnerability reporting" section of the security settings table, choose whether you want to enable, disable, or keep the existing settings for private vulnerability reporting. To learn about private vulnerability reporting, see "Configuring private vulnerability reporting for a repository."

  11. Optionally, in the "Policy" section, you can choose to automatically apply the security configuration to newly created repositories depending on their visibility. Select the None dropdown menu, then click Public, or Private and internal, or both.

    Note: The default security configuration for an organization is only automatically applied to new repositories created in your organization. If a repository is transferred into your organization, you will still need to apply an appropriate security configuration to the repository manually.

  12. To finish creating your custom security configuration, click Save configuration.

Next steps

To apply your custom security configuration to repositories in your organization, see "Applying a custom security configuration."

To learn how to edit your custom security configuration, see "Editing a custom security configuration."