Skip to main content
GitHub Docs
Search
Select language: current language is English
Open Search BarClose Search Bar
Open Menu
Open Sidebar
  • Secure coding/
  • GitHub security features
  • Audit security alerts
  • Enable security features in trial
  • Choose security configuration
    • Configure global settings
    • Edit custom configuration
    • Delete custom configuration
    • Push protection
    • Enable push protection
    • Resolve alerts
    • Push protection from the REST API
    • Generate regular expressions with AI
    • About CodeQL code scanning
    • Configure advanced setup
    • Hardware resources for CodeQL
    • Disable Copilot Autofix
    • Track alerts in issues
    • CodeQL query suites
    • C# CodeQL queries
    • Python CodeQL queries
    • Using code scanning with your existing CI system
    • Alerts in generated code
    • Cannot enable CodeQL in a private repository
    • Logs not detailed enough
    • Resource not accessible
    • Two CodeQL workflows
    • GitHub Advanced Security disabled
    • Results file too large
    • Preparing code for analysis
    • Advanced setup of the CodeQL CLI
    • Testing custom queries
    • Specifying command options in a CodeQL configuration file
    • Extractor options
    • bqrs diff
    • database add-diagnostic
    • database create
    • database index-files
    • database run-queries
    • dataset check
    • dataset upgrade
    • execute language-server
    • execute upgrades
    • github merge-results
    • pack ci
    • pack install
    • pack resolve-dependencies
    • query format
    • resolve extensions-by-pack
    • resolve library-path
    • resolve qlpacks
    • resolve tests
    • test run
    • Manage CodeQL databases
    • CodeQL model editor
    • Test CodeQL queries
    • Telemetry
    • About global security advisories
    • Permission levels
    • Edit repository advisories
    • Add collaborators
    • Best practices
    • Dependency graph
    • Export dependencies as SBOM
    • Customize dependency review action
    • Overview
    • Dependabot ecosystem support
    • Configure notifications
    • Manage auto-dismissed alerts
    • Dependabot version updates
    • Control dependency update
    • Auto-update actions
    • Manage Dependabot on self-hosted runners
    • Troubleshoot Dependabot on Actions
    • Enable security features/
    • Apply recommended configuration

    Applying the GitHub-recommended security configuration in your organization

    Secure your code with the security enablement settings created, managed, and recommended by GitHub.

    Who can use this feature?

    Organization owners, security managers, and organization members with the admin role

    In this article

    • About the GitHub-recommended security configuration
    • Applying the GitHub-recommended security configuration to all repositories in your organization
    • Applying the GitHub-recommended security configuration to specific repositories in your organization
    • Enforcing the GitHub-recommended security configuration
    • Next steps

    About the GitHub-recommended security configuration

    The GitHub-recommended security configuration is a collection of enablement settings for GitHub's security features that is created and maintained by subject matter experts at GitHub. The GitHub-recommended security configuration is designed to successfully reduce the security risks for low- and high-impact repositories. We recommend you apply this configuration to all the repositories in your organization.

    Applying the GitHub-recommended security configuration to all repositories in your organization

    1. In the upper-right corner of GitHub, select your profile photo, then click Your organizations.

    2. Under your organization name, click Settings. If you cannot see the "Settings" tab, select the dropdown menu, then click Settings.

    3. In the "Security" section of the sidebar, select the Code security dropdown menu, then click Configurations.

    4. In the "GitHub recommended" row of the configurations table for your organization, select the Apply to dropdown menu, then click All repositories or All repositories without configurations.

    5. Optionally, in the confirmation dialog, you can choose to automatically apply the security configuration to newly created repositories depending on their visibility. Select the None dropdown menu, then click Public, or Private and internal, or both.

      Note

      The default security configuration for an organization is only automatically applied to new repositories created in your organization. If a repository is transferred into your organization, you will still need to apply an appropriate security configuration to the repository manually.

    6. To apply the security configuration, click Apply.

    The security configuration is applied to both active and archived repositories because some security features run on archived repositories, for example, secret scanning. In addition, if a repository is later unarchived you can be confident that it is protected by the chosen security configuration.

    Applying the GitHub-recommended security configuration to specific repositories in your organization

    1. In the upper-right corner of GitHub, select your profile photo, then click Your organizations.

    2. Under your organization name, click Settings. If you cannot see the "Settings" tab, select the dropdown menu, then click Settings.

    3. In the "Security" section of the sidebar, select the Code security dropdown menu, then click Configurations.

    4. Optionally, in the "Apply configurations" section, filter the view to find the repositories you would like to apply the GitHub-recommended security configuration to. To learn how to filter the repository table, see Filtering repositories in your organization using the repository table.

    5. In the repository table, select repositories with one of three methods:

      • Select each individual repository you would like to apply the security configuration to.
      • To select all repositories on the current page of the repository table, select NUMBER repositories.
      • After selecting NUMBER repositories, to select all repositories in your organization that match your filter criteria, click Select all.

    6. Select the Apply configuration dropdown menu, then click GitHub recommended.

    7. Optionally, in the confirmation dialog, you can choose to automatically apply the security configuration to newly created repositories depending on their visibility. Select the None dropdown menu, then click Public, or Private and internal, or both.

      Note

      The default security configuration for an organization is only automatically applied to new repositories created in your organization. If a repository is transferred into your organization, you will still need to apply an appropriate security configuration to the repository manually.

    8. To apply the security configuration, click Apply.

    The security configuration is applied to both active and archived repositories because some security features run on archived repositories, for example, secret scanning. In addition, if a repository is later unarchived you can be confident that it is protected by the chosen security configuration.

    Enforcing the GitHub-recommended security configuration

    1. In the upper-right corner of GitHub, select your profile photo, then click Your organizations.

    2. Under your organization name, click Settings. If you cannot see the "Settings" tab, select the dropdown menu, then click Settings.

    3. In the "Security" section of the sidebar, select the Code security dropdown menu, then click Configurations.

    4. In the "Code security configurations" section, select "GitHub recommended".

    5. In the "Policy" section, next to "Enforce configuration", select Enforce from the dropdown menu.

    Note

    If a user in your organization attempts to change the enablement status of a feature in an enforced configuration using the REST API, the API call will appear to succeed, but no enablement statuses will change.

    Some situations can break the enforcement of security configurations for a repository. For example, the enablement of code scanning will not apply to a repository if:

    • GitHub Actions is initially enabled on the repository, but is then disabled in the repository.
    • GitHub Actions required by code scanning configurations are not available in the repository.
    • The definition for which languages should not be analyzed using code scanning default setup is changed.

    Next steps

    After you apply the GitHub-recommended security configuration, you can customize your organization-level security settings with global settings. See Configuring global security settings for your organization.

    You may encounter an error when you attempt to apply a security configuration. For more information, see

    Follow Lee on X/Twitter - Father, Husband, Serial builder creating AI, crypto, games & web tools. We are friends :) AI Will Come To Life!

    Check out: eBank.nz (Art Generator) | Netwrck.com (AI Tools) | Text-Generator.io (AI API) | BitBank.nz (Crypto AI) | ReadingTime (Kids Reading) | RewordGame | BigMultiplayerChess | WebFiddle | How.nz | Helix AI Assistant