Introduction
As an organization owner or security manager, you can use GitHub's security features to keep your organization's code, dependencies, and secrets secure. For more information, see "GitHub security features."
Your organization's security needs are unique. You may want to enable a feature if your organization has been impacted by a vulnerability that a certain feature would have prevented, or if the feature will help your organization meet a compliance requirement.
You can enable security features across multiple repositories in an organization at the same time. For each feature you want to enable, you must decide how to roll out the feature across your organization's repositories. Different features have different effects on your organization and its contributors, so it's important to assess the impact each feature will have. For example:
- Some features can generate notifications to inform your organization's members about specific vulnerabilities: to ensure these notifications are targeted and relevant, you may want to ask members to check their notification settings before you enable a feature. For more information, see "Configuring notifications."
- Some features can consume resources for each repository in which they're enabled. For example, enabling code scanning in a private repository may consume a GitHub Advanced Security license, and running code scanning analysis in a repository will incur usage of GitHub Actions or another CI system.
As an organization owner, you can give certain users permission to enable or disable security features by assigning the "security manager" role to a team. Security managers can configure security settings and monitor usage of security features across your organization. For more information, see "Managing security managers in your organization."
About prerequisites of features
Some security features have prerequisites. For example, Dependabot alerts use information from the dependency graph, so enabling Dependabot alerts automatically enables the dependency graph.
Some features are enabled by default in public repositories. In private repositories, some features are only available to enterprises that use GitHub Advanced Security and have enabled Advanced Security as a feature for repositories. For more information, see "About GitHub Advanced Security."
There are some features you must configure for each repository individually. For example, to enable Dependabot version updates in a repository, you must add a dependabot.yml file specifying where to find information about the project's dependencies. For more information, see "Configuring Dependabot version updates."
Enabling security features in your organization
You can use security configurations to enable security features using the GitHub-recommended security configuration, or you can create a custom security configuration. For more information, see "Applying the GitHub-recommended security configuration in your organization" and "Creating a custom security configuration."
Monitoring the impact of security features
When you have enabled a feature, you should communicate with repository administrators and contributors in your organization to assess the impact of the feature. You may need to adjust the configuration of some features at the repository level, or reassess the distribution of security features across your organization. You should also monitor the security alerts that a feature generates, and your members' responses to these alerts.
Organizations that use GitHub Enterprise Cloud can use security overview to see which teams and repositories are affected by security alerts, with a breakdown of alerts by severity. For more information, see "Assessing your code security risk" in the GitHub Enterprise Cloud documentation.
You can use various tools to monitor the actions that your organization's members are taking in response to security alerts. For more information, see "Auditing security alerts".
Next steps
To help users report security vulnerabilities, you can create a default security policy that will display in any of your organization's public repositories that do not have their own security policy. For more information, see "Creating a default community health file."
If you use GitHub Actions, you can use GitHub's security features to increase the security of your workflows. For more information, see "Using GitHub's security features to secure your use of GitHub Actions."