Feedback requested: New security configurations feature! 🎉

[KateCatlin]

What's new?

We're excited to announce the launch of our latest feature, security configurations! We're eager to hear what you think!

With this feature, you can:

• Easily create a modular set of security settings for groups of repositories.
• Explore and implement our GitHub recommended security configurations as a starting point.
• Establish a default configuration for all new repositories with essential security features enabled.
• See the additional GHAS licenses required to apply a configuration (or freed up by disabling GHAS).

What's next?

This release marks the beginning of our public beta phase!

There's still more to come before we officially roll out the feature. Now is the perfect time for your feedback to help us shape its future 🎉 🚀

Let's talk!

Got questions, comments, concerns, or just want to share some kudos? We're all ears! Your input matters, so let's start a conversation and make this feature even better together.

[makskustomer]

This is a great way to enforce this without getting code involved. Regarding configs that fail to apply; it would be helpful to understand why they failed and whether an old codeql config is present that needs to be removed. If so, help us remove the old configs en mass.

[makskustomer]

Couple of other issues surfaced:

1. When filtering by config-status:failed on the configurations page, it also shows repos without a config applied or that may have failed in the past but no longer fail.
2. In global settings and configurations, there is no way to define what is part of the default or extended setup. This is particularly troublesome if you want to include languages not part of the default but have no way to do so.
3. The above as well as a quick way remove old configs is causing about 2/3 of my repos to fail without manual intervention on my part.

[KateCatlin]

Hi @makskustomer thank you so much for the excellent feedback! I'm documenting all of these and will circle back when they are addressed. Appreciate you jumping in on the beta so fast.

[KateCatlin]

Quick follow-up here @makskustomer - I'd love to jump on a call and learn more about your use case on a couple of these. Do you have ~25 minutes to chat? If so, you can book me here!

[unchris]

We've been working on a script to automate this recently - glad to see it's being baked into the UI, it's definitely going to save us some time for the basic Enable/Disable toggles!

Some feedback:

1. Our company uses enterprise cloud with EMU and lots of organizations. It would be nice if this could be set at the enterprise level instead of having to configure this per-org.
2. For configuring CodeQL or any other tool that has language-dependent features, it would be nice if the language detection feature in each repo could be combined with creating the boilerplate advanced CodeQL workflow that allows you to (among other things) set the language input to codeql-action/init
3. For repositories that have code compilation needs, it would be nice if when you apply a configuration, it could notify or easily dashboard which repos are failing after applying the CodeQL workflow.
4. This strays somewhat outside of security, but I assume Dependabot Version update schedules are at least somewhat linked with whatever triggers Dependabot Security PRs? If so, it would be nice if dependabot.yml files could be configured similarly, even if we have to supply some "default code" for things like private registry support. Currently I have the task of creating hundreds of these dependabot.yml files with private registry configuration for maven, npm, and python using CodeArtifact, and I suspect we'll be adding a few new ones. It would be amazing if this could also be configured at org- or enterprise-level with a configuration tool like the one you've released today.

[KateCatlin]

Hi @unchris! Thank you for all of this! It's great feedback and we appreciate you jumping in so quickly.

1. Our company uses enterprise cloud with EMU and lots of organizations. It would be nice if this could be set at the enterprise level instead of having to configure this per-org.

Enterprise level configurations are coming soon!

2. For configuring CodeQL or any other tool that has language-dependent features, it would be nice if the language detection feature in each repo could be combined with creating the boilerplate advanced CodeQL workflow that allows you to (among other things) set the language input to codeql-action/init

That is a really interesting idea that I will circle back with the team and ask for their thoughts on!

3. For repositories that have code compilation needs, it would be nice if when you apply a configuration, it could notify or easily dashboard which repos are failing after applying the CodeQL workflow.

We agree, and better failure messaging is coming soon!

4. This strays somewhat outside of security, but I assume Dependabot Version update schedules are at least somewhat linked with whatever triggers Dependabot Security PRs? If so, it would be nice if dependabot.yml files could be configured similarly, even if we have to supply some "default code" for things like private registry support. Currently I have the task of creating hundreds of these dependabot.yml files with private registry configuration for maven, npm, and python using CodeArtifact, and I suspect we'll be adding a few new ones. It would be amazing if this could also be configured at org- or enterprise-level with a configuration tool like the one you've released today.

This is an interesting idea as well, I'll chat with the Dependabot Updates folks and get their take!

[a-takamin]

Hello. Thank you for this nice feature!

I found that even when I apply the configuration that doesn't require the Advanced Security licenses, the message "5 GitHub Advanced Security licenses required" displays.
But the number should be 0, and after applying, the licenses won't really be used up. The number of available licenses did not change.

Could you please see if there is a bug?

---

configuration:

• GitHub Advanced Security features: Exclude
• Dependency graph: Enable
  • Dependabot: Enable
  • Vulnerable function calls: Disable
  • Security updates: Enable
• Code scanning: Disable
• Secret scanning: Disable
  • Push protection: Disable
• Private vulnerability reporting: Enable
• Policy: Public, private and internal

---

Thank you in advance.

[KateCatlin]

Hey @a-takamin thanks for reaching out! Can you share the name of the organization name where this is happening to you so we can look into it? It would also be helpful to know the configuration name and the repo names where it's errantly showing that you need licenses.

Thanks so much! We'll look into this straight away.

[a-takamin]

Hello, @KateCatlin
I'm sorry for the closed discussion, but could I share the name of the org. and the configuration in a new support ticket?
That is because they are private information.
Thank you.

[jamestran201]

@a-takamin Thank you for reporting this issue! We can reproduce it now, and will work on a fix for this.

[markgarrigan]

How do I apply the configuration I created?

[catulii]

Hi @markgarrigan, you can apply configurations in the repository table below! You can search/filter for specific repositories and once you make a selection, you will see an Apply configuration dropdown button. Once you click that, you can select the configuration you want to apply to the selected repositories.

Does that make sense?

[markgarrigan]

Ahhh... I see. Just a little feedback. Maybe I'm just a "dumb" ;) user but that is not super intuitive to me.

The instructions above that table say this....

Apply configurations
2761 GitHub Advanced Security licenses available, 20239 in use by XXXXXX.
Select repositories to view license consumption information.

The last line might be improved by saying...
Select repositories to view license consumption information and apply configurations.

[catulii]

@markgarrigan no such thing! That's why we're in beta, to find these kinks and make the experience more intuitive, so feedback like this is the best. We can definitely make that copy more explicit, thank you for your suggestion.

[markgarrigan]

What does No Security Features Enabled mean?

It appears to me that there are security features enabled.

[markgarrigan]

There seems to be an issue figuring out which repos have security features applied.

I have 31 pages of repos.

The repo table shows 25 repos on each page. The first page seems to correctly show which configuration is applied. However, every subsequent page shows...

[KateCatlin]

Hey @markgarrigan! Thanks so much for letting us know about this. It was indeed a bug, and we got a fix up for it today so let us know if it's still occurring for you!

[MarshallOfSound]

Heya @KateCatlin 👋

Great feature, much easier than my old approach of opening 100 repos in new tabs 😆 It's a bit scary to operate though because it's not clear what exactly will happen when I apply a given policy to a set of repos. Would be great if the confirmation prompt gave you an outline of the "diff" that was going to be applied (if any) when the policies get applied.

Otherwise I still have to go through each repo and see what the current setting for each thing is just to be sure there isn't a weird setting somewhere for a good reason 😅

[KateCatlin]

Hey @MarshallOfSound! Always great hearing from you. I love this idea! Let's jump on a call and discuss it - I'll reach out!

[archangelneo18]

Can we also add a way to add security features via global settings, like adding dependencies review workflows/actions? Another way is to add critical block actions in the global settings without creating new rules, etc.

[KateCatlin]

Thanks for the feedback @archangelneo18! This is really interesting and I want to hear more about your use case here. Would you be willing to book some time for us to chat and hear more? If so, you can grab any slot open on my calendar here!