Assessing adoption of security features
You can use security overview to see which teams and repositories have already enabled features for secure coding, and identify any that are not yet protected.
Who can use this feature?
Access requires:
- Organization views:write access to repositories in the organization
- Enterprise views: organization owners and security managers
Organizations owned by a GitHub Team account with GitHub Secret Protection or GitHub Code Security, or owned by a GitHub Enterprise account
In this article
About adoption of features for secure coding
You can use security overview to see which repositories and teams have already enabled each security feature, and where people need more encouragement to adopt these features. The "Security coverage" view shows a summary and detailed information on feature enablement for an organization. You can filter the view to show a subset of repositories using the "enabled" and "not enabled" links, the "Teams" dropdown menu, and a search field in the page header.
Note
"Pull request alerts" are reported as enabled only when code scanning has analyzed at least one pull request since alerts were enabled for the repository.
You can download a CSV file of the data displayed on the "Security coverage" page. This data file can be used for efforts like security research and in-depth data analysis, and can integrate easily with external datasets. For more information, seeExporting data from security overview.
You can use the "Enablement trends" view to see enablement status and enablement status trends over time for Dependabot, code scanning, or secret scanning for repositories in an organization, or across organizations in an enterprise. For each of these features, you can view a graph visualizing the percentage of repositories that have the feature enabled, as well as a detailed table with enablement percentages for different points in time. For more information, seeViewing enablement trends for an organization andViewing enablement trends for an enterprise.
Viewing the enablement of security features for an organization
You can view data to assess the enablement of features for secure coding across repositories in an organization.
On GitHub, navigate to the main page of the organization.
Under your organization name, click Security.
To display the "Security coverage" view, in the sidebar, click Coverage.
Use options in the page summary to filter results to show the repositories you want to assess. The list of repositories and metrics displayed on the page automatically update to match your current selection. For more information on filtering, seeFiltering alerts in security overview.
- Use theTeams dropdown to show information only for the repositories owned by one or more teams. For more information, seeManaging team access to an organization repository.
- ClickNUMBER enabled orNUMBER not enabled in the header for any feature to show only the repositories with that feature enabled or not enabled.
- At the top of the list of repositories, clickNUMBER Archived to show only repositories that are archived.
- Click in the search box to add further filters to the repositories displayed.
Viewing the enablement of features for secure coding in an enterprise
You can view data to assess the enablement of security features across organizations in an enterprise.
Navigate to GitHub Enterprise Cloud.
In the top-right corner of GitHub, click your profile picture, then clickYour enterprises.
In the list of enterprises, click the enterprise you want to view.
At the top of the page, click Security.
To display the "Security coverage" view, in the sidebar, clickCoverage.
Use options in the page summary to filter results to show the repositories you want to assess. The list of repositories and metrics displayed on the page automatically update to match your current selection. For more information on filtering, seeFiltering alerts in security overview.
Use theTeams dropdown to show information only for the repositories owned by one or more teams. For more information, seeManaging team access to an organization repository.
ClickNUMBER enabled orNUMBER not enabled in the header for any feature to show only the repositories with that feature enabled or not enabled.
At the top of the list of repositories, clickNUMBER Archived to show only repositories that are archived.
Click in the search box to add further filters to the repositories displayed.
Tip
You can use the
ownerfilter in the search field to filter the data by organization. For more information, seeFiltering alerts in security overview.
Viewing enablement trends for an organization
You can view data to assess the enablement status and enablement status trends of security features for an organization.
On GitHub, navigate to the main page of the organization.
Under your organization name, click Security.
In the sidebar, under "Metrics," click Enablement trends.
Click on one of the tabs for "Dependabot," "Code scanning," or "Secret scanning" to view enablement trends and the percentage of repositories in your organization with that feature enabled. This data is displayed as a graph and a detailed table.
Optionally, use the options at the top of the "Enablement trends" view page to filter the group of repositories you want to see enablement trends for.
Use the date picker to set the time range that you want to view enablement trends for.
Click in the search box to add further filters on the enablement trends displayed. The filters you can apply are the same as those for the "Overview" dashboard view. For more information, seeFiltering alerts in security overview.
Viewing enablement trends for an enterprise
You can view data to assess the enablement status and enablement status trends of security features across organizations in an enterprise.
Navigate to GitHub Enterprise Cloud.
In the top-right corner of GitHub, click your profile picture, then clickYour enterprises.
In the list of enterprises, click the enterprise you want to view.
At the top of the page, click Security.
To display the "Enablement trends" view, in the sidebar, clickEnablement trends.
Click on one of the tabs for "Dependabot," "Code scanning," or "Secret scanning" to view enablement trends and the percentage of repositories across organizations in your enterprise with that feature enabled. This data is displayed as a graph and a detailed table.
Optionally, use the options at the top of the "Enablement trends" view page to filter the group of repositories you want to see enablement trends for.
- Use the date picker to set the time range that you want to view enablement trends for.
- Click in the search box to add further filters on the enablement trends displayed. For more information, seeFiltering alerts in security overview.
Tip
You can use theowner: filter in the search field to filter the data by organization. For more information, seeFiltering alerts in security overview.
Interpreting and acting on the enablement data
Some security features can and should be enabled on all repositories. For example, secret scanning alerts and push protection reduce the risk of a security leak no matter what information is stored in the repository. If you see repositories that don't already use these features, you should either enable them or discuss an enablement plan with the team who owns the repository. For information on enabling features for a whole organization, seeEnabling security features in your organization.
Other features are not suitable for use in all repositories. For example, there would be no point in enabling Dependabot for repositories that only use ecosystems or languages that are unsupported. As such, it's normal to have some repositories where these features are not enabled.
Your enterprise may also have configured policies to limit the use of some security features. For more information, seeEnforcing policies for code security and analysis for your enterprise.