About securing your organization
GitHub has many features that help you improve and maintain the quality of your code. Some features are included in all GitHub plans. Additional features are available to organizations on GitHub Team and GitHub Enterprise Cloud that purchase a GitHub Advanced Security product:
- GitHub Secret Protection: secret scanning やプッシュ保護など、シークレットの漏洩の検出と防止に役立つ機能が含まれます。
- GitHub Code Security: code scanning、プレミアム Dependabot 機能、依存関係レビューなど、脆弱性の検出と修正に役立つ機能が含まれます。
You can easily enable and manage GitHub's security features throughout your organization with security configurations, which control repository-level security features, and global settings, which control security features at the organization level. We recommend applying security configurations and customizing your global settings to create a system that best meets the security needs of your organization.
For more information on purchasing GitHub Secret Protection or GitHub Code Security, see GitHub Advanced Security について and Organization または Enterprise 向け Advanced Security の購入 in the GitHub Enterprise Cloud documentation.
About security configurations
Security configurations は、GitHub のセキュリティ機能向け有効化設定のコレクションで、組織内の任意のリポジトリに適用が可能です。
There are two types of security configuration:
- The GitHub-recommended security configuration. This configuration is a collection of enablement settings created and managed by subject matter experts at GitHub. The GitHub-recommended security configuration is designed to adequately secure any repository, and can easily be applied to all repositories in your organization.
- Custom security configurations. These are configurations you can create and edit yourself, allowing you to choose different enablement settings for groups of repositories with specific security needs.
メモ
Organization 内のユーザーが REST API を使用して、適用された構成の機能の有効化状態を変更しようとすると、API コールは成功したように見えますが、有効化状態は変更されません。
状況によっては、リポジトリに対する security configurations の適用が中断される場合があります。 たとえば、次の場合、code scanning の有効化はリポジトリには適用されません。
- GitHub Actions は、最初はリポジトリで有効になっていますが、その後、リポジトリで無効になります。
- code scanning 構成に必要な GitHub Actions は、リポジトリで使用できません。
- code scanning の既存のセットアップを使用して言語を分析することができない定義が変更されます。
Each repository can only have one security configuration applied to it. To find out how you should get started with security configurations, see リポジトリのセキュリティ構成の選択.
You can also create and manage security configurations using the REST API. For more information, see 構成.
About global settings
While security configurations determine repository-level security settings, global settings determine your organization-level security settings, which are then inherited by all repositories. With global settings, you can customize how security features analyze your organization.
About enabling secure access to private registries
If your organization uses private registries, providing code scanning and Dependabot secure access to these registries will improve code analysis and allow Dependabot to update a wider range of dependencies. For information, see セキュリティ機能にプライベート レジストリへのアクセスを許可する.
About integrating production context
If your organization uses Microsoft Defender for Cloud, JFrog Artifactory, or CI/CD to promote artifacts to production, you can integrate this data into GitHub. This production context helps you prioritize code scanning and Dependabot alerts. For more information, see Prioritizing Dependabot and code scanning alerts using production context.
Next steps
To determine which security configurations are right for the repositories in your organization, see リポジトリのセキュリティ構成の選択.