-
Notifications
You must be signed in to change notification settings - Fork 60.3k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Code security configurations available at the enterprise level (#53229)
Co-authored-by: Anne-Marie <[email protected]> Co-authored-by: Copilot <[email protected]> Co-authored-by: Zack Fernandes <[email protected]> Co-authored-by: Melanie Yarbrough <[email protected]>
- Loading branch information
5 people
authored
Dec 12, 2024
1 parent
5a579b8
commit b3ac074
Showing
22 changed files
with
402 additions
and
6 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
43 changes: 43 additions & 0 deletions
43
...anaging-code-security/securing-your-enterprise/about-security-configurations.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,43 @@ | ||
| --- | ||
| title: About security configurations | ||
| shortTitle: Security configurations | ||
| intro: 'Security configurations are collections of security settings that you can apply across your enterprise.' | ||
| product: '{% data reusables.gated-features.security-configurations-enterprise %}' | ||
| versions: | ||
| feature: security-configuration-enterprise-level | ||
| topics: | ||
| - Advanced Security | ||
| - Enterprise | ||
| - Security | ||
| --- | ||
|
|
||
| ## About {% data variables.product.prodname_security_configurations %} | ||
|
|
||
| {% data variables.product.prodname_security_configurations_caps %} simplify the rollout of {% data variables.product.company_short %} security products at scale by helping you define collections of security settings and apply them across your enterprise. | ||
|
|
||
| {% ifversion security-configurations-cloud %} | ||
|
|
||
| We recommend securing your enterprise with the {% data variables.product.prodname_github_security_configuration %}, then evaluating the security findings on your repositories before configuring {% data variables.product.prodname_custom_security_configurations %}. For more information, see "[AUTOTITLE](/admin/managing-code-security/securing-your-enterprise/applying-the-github-recommended-security-configuration-to-your-enterprise)." | ||
|
|
||
| {% endif %} | ||
|
|
||
| With {% data variables.product.prodname_custom_security_configurations %}, you can create collections of enablement settings for {% data variables.product.company_short %}'s security products to meet the specific security needs of your enterprise. For example, you can create a different {% data variables.product.prodname_custom_security_configuration %} for each organization or group of similar organizations to reflect their different levels of security requirements and compliance obligations. For more information, see "[AUTOTITLE](/admin/managing-code-security/securing-your-enterprise/creating-a-custom-security-configuration-for-your-enterprise)." | ||
|
|
||
| {% ifversion security-configurations-ghes-only %} | ||
|
|
||
| When creating a security configuration, keep in mind that: | ||
| * Only features installed by a site administrator on your {% data variables.product.prodname_ghe_server %} instance will appear in the UI. | ||
| * {% data variables.product.prodname_GH_advanced_security %} features will only be visible if your enterprise or {% data variables.product.prodname_ghe_server %} instance holds a {% data variables.product.prodname_GH_advanced_security %} license. | ||
| * Certain features, like {% data variables.product.prodname_dependabot_security_updates %} and {% data variables.product.prodname_code_scanning %} default setup, also require that {% data variables.product.prodname_actions %} is installed on the {% data variables.product.prodname_ghe_server %} instance. | ||
|
|
||
| {% endif %} | ||
|
|
||
| {% data reusables.security-configurations.emu-note %} | ||
|
|
||
| {% data reusables.security-configurations.security-features-use-actions %} | ||
|
|
||
| ## Preserving default settings for new repositories | ||
|
|
||
| If you had default security settings in place for newly created repositories, {% data variables.product.github %} will preserve these settings by automatically creating a "New repository default settings" security configuration for your enterprise. The configuration matches your previous enterprise-level default settings for new repositories as of December, 2024. | ||
|
|
||
| The "New repository default settings" configuration will automatically get applied to any newly created repositories in your enterprise, if no organization-level defaults are set. |
34 changes: 34 additions & 0 deletions
34
...-your-enterprise/applying-a-custom-security-configuration-to-your-enterprise.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,34 @@ | ||
| --- | ||
| title: Applying a custom security configuration to your enterprise | ||
| shortTitle: Apply custom configuration | ||
| intro: 'You can apply your {% data variables.product.prodname_custom_security_configuration %} to organizations and repositories in your organization to meet the specific security needs of your enterprise.' | ||
| permissions: '{% data reusables.permissions.security-configuration-enterprise-enable %}' | ||
| versions: | ||
| feature: security-configuration-enterprise-level | ||
| topics: | ||
| - Advanced Security | ||
| - Organizations | ||
| - Security | ||
| --- | ||
|
|
||
| ## About applying a {% data variables.product.prodname_custom_security_configuration %} | ||
|
|
||
| After you create a {% data variables.product.prodname_custom_security_configuration %}, you need to apply it to repositories in your enterprise to enable the configuration's settings on those repositories. | ||
|
|
||
| {% data reusables.security-configurations.security-features-use-actions %} | ||
|
|
||
| ## Applying your {% data variables.product.prodname_custom_security_configuration %} to repositories in your enterprise | ||
|
|
||
| {% data reusables.enterprise-accounts.access-enterprise %} | ||
| {% data reusables.enterprise-accounts.settings-tab %} | ||
| 1. In the left sidebar, click **Code security**. | ||
| 1. To the right of the configuration you want to apply, select the **Apply to** {% octicon "triangle-down" aria-hidden="true" %} dropdown menu, then click **All repositories** or **All repositories without configurations**. | ||
| {% data reusables.security-configurations.apply-configuration-by-default %} | ||
|
|
||
| {% data reusables.security-configurations.apply-configuration %} | ||
|
|
||
| {% data reusables.security-configurations.failure-handling-enterprise %} | ||
|
|
||
| ## Next steps | ||
|
|
||
| To learn how to edit your {% data variables.product.prodname_custom_security_configuration %}, see "[AUTOTITLE](/admin/managing-code-security/securing-your-enterprise/editing-a-custom-security-configuration)." |
40 changes: 40 additions & 0 deletions
40
...se/applying-the-github-recommended-security-configuration-to-your-enterprise.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,40 @@ | ||
| --- | ||
| title: Applying the GitHub-recommended security configuration to your enterprise | ||
| shortTitle: Apply recommended configuration | ||
| intro: 'Secure your code with the security enablement settings created, managed, and recommended by {% data variables.product.github %}.' | ||
| permissions: '{% data reusables.permissions.security-configuration-enterprise-enable %}' | ||
| versions: | ||
| ghec: '*' | ||
| topics: | ||
| - Advanced Security | ||
| - Enterprise | ||
| - Security | ||
| --- | ||
|
|
||
| ## About the {% data variables.product.prodname_github_security_configuration %} | ||
|
|
||
| The {% data variables.product.prodname_github_security_configuration %} is a set of industry best practices and features that provide a robust, baseline security posture for enterprises. This configuration is created and maintained by subject matter experts at {% data variables.product.github %}, with the help of multiple industry leaders and experts. The {% data variables.product.prodname_github_security_configuration %} is designed to successfully reduce the security risks for low- and high-impact repositories. We recommend you apply this configuration to all the repositories in your enterprise. | ||
|
|
||
| {% data reusables.security-configurations.github-recommended-warning-enterprise %} | ||
|
|
||
| ## Applying the {% data variables.product.prodname_github_security_configuration %} to repositories in your enterprise | ||
|
|
||
| {% data reusables.enterprise-accounts.access-enterprise %} | ||
| {% data reusables.enterprise-accounts.settings-tab %} | ||
| 1. In the left sidebar, click **Code security**. | ||
| 1. In the "{% data variables.product.company_short %} recommended" row of the configurations table for your enterprise, select the **Apply to** {% octicon "triangle-down" aria-hidden="true" %} dropdown menu, then click **All repositories** or **All repositories without configurations**. | ||
| {% data reusables.security-configurations.apply-configuration-by-default %} | ||
|
|
||
| {% data reusables.security-configurations.apply-configuration %} | ||
|
|
||
| {% data reusables.security-configurations.failure-handling-enterprise %} | ||
|
|
||
| ## Enforcing the {% data variables.product.prodname_github_security_configuration %} | ||
|
|
||
| {% data reusables.enterprise-accounts.access-enterprise %} | ||
| {% data reusables.enterprise-accounts.settings-tab %} | ||
| 1. In the left sidebar, click **Code security**. | ||
| 1. In the "Configurations" section, select "{% data variables.product.company_short %} recommended". | ||
| 1. In the "Policy" section, next to "Enforce configuration", select **Enforce** from the dropdown menu. | ||
|
|
||
| {% data reusables.code-scanning.custom-security-configuration-enforcement-edge-cases-enterprise %} |
49 changes: 49 additions & 0 deletions
49
...terprise/configuring-additional-secret-scanning-settings-for-your-enterprise.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,49 @@ | ||
| --- | ||
| title: Configuring additional secret scanning settings for your enterprise | ||
| shortTitle: Configure additional settings | ||
| intro: 'Learn how to configure additional {% data variables.product.prodname_secret_scanning %} settings for your enterprise.' | ||
| permissions: '{% data reusables.permissions.security-configuration-enterprise-enable %}' | ||
| versions: | ||
| feature: security-configuration-enterprise-level | ||
| topics: | ||
| - Advanced Security | ||
| - Enterprise | ||
| - Security | ||
| --- | ||
|
|
||
| ## About additional settings for {% data variables.product.prodname_secret_scanning %} | ||
|
|
||
| There are some additional {% data variables.product.prodname_secret_scanning %} settings that cannot be applied to repositories using {% data variables.product.prodname_security_configurations %}, so you must configure these settings separately: | ||
|
|
||
| * [Configuring a resource link for push protection](/admin/managing-code-security/securing-your-enterprise/configuring-additional-secret-scanning-settings-for-your-enterprise#configuring-a-resource-link-for-push-protection){% ifversion secret-scanning-ai-generic-secret-detection %} | ||
| * [Configuring AI detection to find additional secrets](/admin/managing-code-security/securing-your-enterprise/configuring-additional-secret-scanning-settings-for-your-enterprise#configuring-ai-detection-to-find-additional-secrets){% endif %} | ||
|
|
||
| These additional settings only apply to repositories with both {% data variables.product.prodname_GH_advanced_security %} and {% data variables.product.prodname_secret_scanning %} enabled. | ||
|
|
||
| ## Accessing the additional settings for {% data variables.product.prodname_secret_scanning %} | ||
|
|
||
| {% data reusables.enterprise-accounts.access-enterprise %} | ||
| {% data reusables.enterprise-accounts.settings-tab %} | ||
| 1. In the left sidebar, click **Code security**. | ||
| 1. Scroll down the page to the "Additional settings" section. | ||
|
|
||
| ### Configuring a resource link for push protection | ||
|
|
||
| To provide context for developers when {% data variables.product.prodname_secret_scanning %} blocks a commit, you can display a link with more information on why the commit was blocked. | ||
|
|
||
| 1. Under "Additional settings", to the right of "Resource link for push protection", click **{% octicon "pencil" aria-hidden="true" %}**. | ||
| 1. In the text box, type the link to the desired resource, then click **{% octicon "check" aria-label="Save" %}**. | ||
|
|
||
| {% ifversion secret-scanning-ai-generic-secret-detection %} | ||
|
|
||
| ### Configuring AI detection to find additional secrets | ||
|
|
||
| {% data variables.secret-scanning.copilot-secret-scanning %}'s {% data variables.secret-scanning.generic-secret-detection %} is an AI-powered expansion of {% data variables.product.prodname_secret_scanning %} that scans and creates alerts for unstructured secrets, such as passwords. | ||
|
|
||
| 1. Under "Additional settings", to the right of "Use AI detection to find additional secrets", ensure the setting is toggled to "On". | ||
|
|
||
| {% data reusables.secret-scanning.copilot-secret-scanning-generic-secrets-subscription-note %} | ||
|
|
||
| To learn more about generic secrets, see "[AUTOTITLE](/code-security/secret-scanning/copilot-secret-scanning/responsible-ai-generic-secrets)." | ||
|
|
||
| {% endif %} |
Oops, something went wrong.