About enabling security features at scale

You can quickly secure your organization at scale with security configurations and global settings.

En este artículo

About securing your organization

GitHub has many features that help you improve and maintain the quality of your code. Some features are included in all GitHub plans. Additional features are available to organizations on GitHub Team and GitHub Enterprise Cloud that purchase a GitHub Advanced Security product:

  • GitHub Secret Protection, que incluye características que te ayudan a detectar y evitar fugas de secretos, como secret scanning y protección de inserción.
  • GitHub Code Security, que incluye características que te ayudan a encontrar y corregir vulnerabilidades, como code scanning, características premium de Dependabot y revisión de dependencias.

You can easily enable and manage GitHub's security features throughout your organization with security configurations, which control repository-level security features, and global settings, which control security features at the organization level. We recommend applying security configurations and customizing your global settings to create a system that best meets the security needs of your organization.

For more information on purchasing GitHub Secret Protection or GitHub Code Security, see Acerca de GitHub Advanced Security and Compra de Advanced Security para tu organización o empresa in the GitHub Enterprise Cloud documentation.

About security configurations

Security configurations son colecciones de ajustes de habilitación para las características de seguridad de GitHub que puede aplicar a cualquier repositorio de su organización.

There are two types of security configuration:

  • The GitHub-recommended security configuration. This configuration is a collection of enablement settings created and managed by subject matter experts at GitHub. The GitHub-recommended security configuration is designed to adequately secure any repository, and can easily be applied to all repositories in your organization.
  • Custom security configurations. These are configurations you can create and edit yourself, allowing you to choose different enablement settings for groups of repositories with specific security needs.

Nota:

Si un usuario de la organización intenta cambiar el estado de habilitación de una característica en una configuración aplicada mediante la API REST, la llamada a la API aparecerá correctamente, pero no cambiarán los estados de habilitación.

Algunas situaciones pueden interrumpir la aplicación de security configurations para un repositorio. Por ejemplo, la habilitación de code scanning no se aplicará a un repositorio si:

  • GitHub Actions está habilitado inicialmente en el repositorio, pero luego se deshabilita en el repositorio.
  • Los GitHub Actions requeridos por code scanning no están disponibles en el repositorio.
  • Se cambia la definición para la que no se deben analizar los idiomas mediante la configuración predeterminada code scanning.

Each repository can only have one security configuration applied to it. To find out how you should get started with security configurations, see Elección de una configuración de seguridad para los repositorios.

You can also create and manage security configurations using the REST API. For more information, see Configurations.

About global settings

While security configurations determine repository-level security settings, global settings determine your organization-level security settings, which are then inherited by all repositories. With global settings, you can customize how security features analyze your organization.

About enabling secure access to private registries

If your organization uses private registries, providing code scanning and Dependabot secure access to these registries will improve code analysis and allow Dependabot to update a wider range of dependencies. For information, see Concesión de acceso a las características de seguridad a registros privados.

About integrating production context

If your organization uses Microsoft Defender for Cloud, JFrog Artifactory, or CI/CD to promote artifacts to production, you can integrate this data into GitHub. This production context helps you prioritize code scanning and Dependabot alerts. For more information, see Prioritizing Dependabot and code scanning alerts using production context.

Next steps

To determine which security configurations are right for the repositories in your organization, see Elección de una configuración de seguridad para los repositorios.