About enabling delegated alert dismissal

Delegated alert dismissal lets you restrict which users can directly dismiss an alert. When the feature is enabled, users attempting to dismiss an alert will instead create a request for dismissal.

Enabling the feature automatically assigns organization owners and security managers with the permission to approve or deny dismissal requests for alerts. This permission is:

"Review and manage code scanning alert dismissal requests" permission for code scanning.
"Review and manage secret scanning alert dismissal requests" permission for secret scanning. This permission can also be applied to custom roles. Individuals in these custom roles must also have the following permissions, which grant access to alerts in all repositories:
- "View secret scanning alerts"
- "Dismiss or reopen secret scanning alerts"

For more information about these permissions, see Roles in an organization.

To learn more about the security manager role, see Managing security managers in your organization.

Note

The implementation of this approval process can potentially cause some friction, so it's important to ensure that the team of security managers has adequate coverage before proceeding.

Reviewers (security managers and organization owners):

Get an email notification for requests. These users need to ensure that they can review these lists periodically, so that there is no backlog and that the process is smooth.
Can process requests in a dedicated view in the "Security" tab of the organization. An alert will only be dismissed if the dismissal request is approved; otherwise, the alert will remain open.

Requesters will get an email notification with the decision as to whether the alert can be dismissed or not.

Configuring delegated dismissal for a repository

Note

If an organization owner configures delegated alert dismissal via an enforced security configuration, the settings can't be changed at the repository level.

On GitHub, navigate to the main page of the repository.
Under your repository name, click Settings. If you cannot see the "Settings" tab, select the dropdown menu, then click Settings.
In the "Security" section of the sidebar, click Advanced Security.
Under "Code Security", click Enable for "Prevent direct alert dismissals".

Configuring delegated dismissal for an organization

You must configure delegated dismissal for your organization using a custom security configuration. You can then apply the security configuration to all (or selected) repositories in your organization.

Create a new custom security configuration, or edit an existing one. See Creating a custom security configuration.
When creating the custom security configuration, under "Code scanning", set "Prevent direct alert dismissals" to Enabled.
Click Save configuration.
Apply the security configuration to all (or selected) repositories in your organization. See Applying a custom security configuration.

Configuring delegated dismissal for an enterprise

You must configure delegated dismissal for your enterprise using a custom security configuration. You can then apply the security configuration to all (or selected) repositories in your enterprise.

Create a new custom security configuration, or edit an existing one. See Creating a custom security configuration for your enterprise.
When creating the custom security configuration, under "code scanning", ensure that the dropdown menu for "Prevent direct alert dismissals" is set to Enabled.
Click Save configuration.
Apply the security configuration to all (or selected) repositories in your enterprise. See Applying a custom security configuration to your enterprise.

To learn more about security configurations, see

Who can use this feature?

In this article

About enabling delegated alert dismissal

Configuring delegated dismissal for a repository

Configuring delegated dismissal for an organization

Configuring delegated dismissal for an enterprise