Setting security policies - Training

Tags

Top Highlights

• In this section, you'll learn about settings that define user permissions and allow automation of common security tasks.

• SECURITY.md is the primary document for communicating security information. It is a Markdown file in a repository's root, docs, or .github folder. The SECURITY.md file should include:

• default community health files

• Documentation and security settings serve three broad purposes.

• Standardization

• Compliance

• Prevention

• other community health documentation

• GitHub considers files of these types to have specific purpose, and requires you to follow the listed naming scheme when creating or updating them.

• The root of the repository The .github folder The docs folder

• you can configure security settings at the organization and enterprise level

• organization policies

• Enterprise policies

• base permissions for all members

• Repository policies tab

• As you can see, settings that Enterprise administrators enforce cascade down to all organizations covered by the GitHub Enterprise plan, while settings not covered by Enterprise administrators are free to be customized by organization administrators

• Access restrictions, security documentation, advisories, Dependabot alerts and security updates, Dependabot version updates, and the GitHub dependency graph are available for all repositories

• these features are only available for private repositories with an Advanced Security license or public repositories

• Code scanning alerts, secret scanning alerts

• In this section, you'll learn the basics of the GitHub security advisory tools that allow you to draft and publish comprehensive documentation on the nature of the threat.