About the GitHub-recommended security configuration
The GitHub-recommended security configuration is a collection of enablement settings for GitHub's security features that is created and maintained by subject matter experts at GitHub. The GitHub-recommended security configuration is designed to successfully reduce the security risks for low- and high-impact repositories. We recommend you apply this configuration to all the repositories in your organization.
Applying the GitHub-recommended security configuration to all repositories in your organization
-
In the upper-right corner of GitHub, select your profile photo, then click Your organizations.
-
Under your organization name, click Settings. If you cannot see the "Settings" tab, select the dropdown menu, then click Settings.
-
In the "Security" section of the sidebar, select the Code security dropdown menu, then click Configurations.
-
In the "GitHub recommended" row of the configurations table for your organization, select the Apply to dropdown menu, then click All repositories or All repositories without configurations.
-
Optionally, in the confirmation dialog, you can choose to automatically apply the security configuration to newly created repositories depending on their visibility. Select the None dropdown menu, then click Public, or Private and internal, or both.
Note: The default security configuration for an organization is only automatically applied to new repositories created in your organization. If a repository is transferred into your organization, you will still need to apply an appropriate security configuration to the repository manually.
-
To apply the security configuration, click Apply.
The security configuration is applied to both active and archived repositories because some security features run on archived repositories, for example, secret scanning. In addition, if a repository is later unarchived you can be confident that it is protected by the chosen security configuration.
Applying the GitHub-recommended security configuration to specific repositories in your organization
-
In the upper-right corner of GitHub, select your profile photo, then click Your organizations.
-
Under your organization name, click Settings. If you cannot see the "Settings" tab, select the dropdown menu, then click Settings.
-
In the "Security" section of the sidebar, select the Code security dropdown menu, then click Configurations.
-
Optionally, in the "Apply configurations" section, filter the view to find the repositories you would like to apply the GitHub-recommended security configuration to. To learn how to filter the repository table, see "Filtering repositories in your organization using the repository table."
-
In the repository table, select repositories with one of three methods:
- Select each individual repository you would like to apply the security configuration to.
- To select all repositories on the current page of the repository table, select NUMBER repositories.
- After selecting NUMBER repositories, to select all repositories in your organization that match your filter criteria, click Select all.
-
Select the Apply configuration dropdown menu, then click GitHub recommended.
-
Optionally, in the confirmation dialog, you can choose to automatically apply the security configuration to newly created repositories depending on their visibility. Select the None dropdown menu, then click Public, or Private and internal, or both.
Note: The default security configuration for an organization is only automatically applied to new repositories created in your organization. If a repository is transferred into your organization, you will still need to apply an appropriate security configuration to the repository manually.
-
To apply the security configuration, click Apply.
The security configuration is applied to both active and archived repositories because some security features run on archived repositories, for example, secret scanning. In addition, if a repository is later unarchived you can be confident that it is protected by the chosen security configuration.
Enforcing the GitHub-recommended security configuration
-
In the upper-right corner of GitHub, select your profile photo, then click Your organizations.
-
Under your organization name, click Settings. If you cannot see the "Settings" tab, select the dropdown menu, then click Settings.
-
In the "Security" section of the sidebar, select the Code security dropdown menu, then click Configurations.
-
In the "Code security configurations" section, select "GitHub recommended".
-
In the "Policy" section, next to "Enforce configuration", select Enforce from the dropdown menu.
Note
If a user in your organization attempts to change the enablement status of a feature in an enforced configuration using the REST API, the API call will appear to succeed, but no enablement statuses will change.
Some situations can break the enforcement of security configurations for a repository. For example, the enablement of code scanning will not apply to a repository if:
- GitHub Actions is initially enabled on the repository, but is then disabled in the repository.
- GitHub Actions required by code scanning configurations are not available in the repository.
- The definition for which languages should not be analyzed using code scanning default setup is changed.
Next steps
After you apply the GitHub-recommended security configuration, you can customize your organization-level security settings with global settings. See "Configuring global security settings for your organization."
You may encounter an error when you attempt to apply a security configuration. For information on common errors, see "Troubleshooting security configurations."