Feedback requested: New security configurations feature! 🎉 #114519
Replies: 19 comments 58 replies
-
This is a great way to enforce this without getting code involved. Regarding configs that fail to apply; it would be helpful to understand why they failed and whether an old codeql config is present that needs to be removed. If so, help us remove the old configs en mass. |
Beta Was this translation helpful? Give feedback.
-
We've been working on a script to automate this recently - glad to see it's being baked into the UI, it's definitely going to save us some time for the basic Enable/Disable toggles! Some feedback:
|
Beta Was this translation helpful? Give feedback.
-
Hello. Thank you for this nice feature! I found that even when I apply the configuration that doesn't require the Advanced Security licenses, the message "5 GitHub Advanced Security licenses required" displays. Could you please see if there is a bug? configuration:
Thank you in advance. |
Beta Was this translation helpful? Give feedback.
-
What does No Security Features Enabled mean? It appears to me that there are security features enabled. |
Beta Was this translation helpful? Give feedback.
-
Heya @KateCatlin 👋 Great feature, much easier than my old approach of opening 100 repos in new tabs 😆 It's a bit scary to operate though because it's not clear what exactly will happen when I apply a given policy to a set of repos. Would be great if the confirmation prompt gave you an outline of the "diff" that was going to be applied (if any) when the policies get applied. Otherwise I still have to go through each repo and see what the current setting for each thing is just to be sure there isn't a weird setting somewhere for a good reason 😅 |
Beta Was this translation helpful? Give feedback.
-
Can we also add a way to add security features via global settings, like adding dependencies review workflows/actions? Another way is to add critical block actions in the global settings without creating new rules, etc. |
Beta Was this translation helpful? Give feedback.
-
Asking for the inverse here, it would be good if we could stuff some of the global settings into the configurations so that we can apply what we want using the powerful filtering across multiple repos. As an example, dependabot rules, using autofix or a number of other settings. @KateCatlin Currently Im in a situation where I want to setup automatic prs for certain severity levels of dependabot and it will apply to all my repos instead of ones I specify. |
Beta Was this translation helpful? Give feedback.
-
Should these settings be under the Security tab? Instead of settings? |
Beta Was this translation helpful? Give feedback.
-
This looks like an interesting feature indeed, however we ran into some issues after the beta feature was enabled in April by default for all GitHub organizations. To give some context: At the Eclipse Foundation we use a tool called otterdog (https://github.com/eclipse-csi/otterdog) to manage our numerous GitHub organizations with an infrastructure as code approach. Now when the tool creates a new repo, it also sets code security related settings right away as needed. With the new security configurations, the following sequence of events happens:
An example of these events can be seen here: The same applies for dependabot alerts and security updates as they follow the same principle. While the new security configurations are a great tool if you mainly use the GitHub Web UI to configure your repos and organizations, if you rely on tools that do that for you via the rest or graphql api, you have to apply all kind of annoying workarounds. In this case we would need to wait for the security configuration to be applied and then change the security settings as needed, but I would like to avoid that ofc. It would be amazing if there would be an option to completely disable security configurations such that nothing will be set after a repo has been created. Its fine if during the repo creation the security settings are immediately set to some default that could be determined from the legacy settings. This is basically the behavior up till March 2024. If there would be a way to ensure that this behavior is retained that would be of tremendous help for us. |
Beta Was this translation helpful? Give feedback.
-
I have been playing around with this for the past few days and have two thoughts, not bugs I think but extra things that would be very useful for our use case. Repository Admins can overrideWe have requirements to enforce policies on some of our repositories, the ability to repository administrators to opt out means we will have to invest time and effort into external solutions to keep re-applying the configuration, reporting on incompliance and internal processes to manage this. Would be ideal if the managed settings showed up as "managed by your organisation administrator" and couldn't be overridden. Appreciate there are cases when you may want initial settings for best practice vs enforced settings for business requirements and this would need further thought to work out the logistics. Configuration Auto Apply via FilteringThe filters to identify repositories to apply the configurations to is great, as is the setting in the configuration themselves to apply to newly created repositories. For my use case it would ideal to be able define a filter within the configuration that will auto target and matching repositories. For example, a filter set on a custom property of "repo_sensitivity", an existing repository has its sensitivity upgraded and now automatically meets the filter. As it is now, and as I understand the feature (so hopefully not getting this wrong) I would have to manually apply the configuration using the filter option, rather than it automatically happening as the criteria where met. |
Beta Was this translation helpful? Give feedback.
-
Hey everyone! I held off on submitting some feedback, but after trying the feature for awhile I have some thoughts and ideas!
Thanks for all the hard work on this! It's been a lot of fun to play around with - glad we're able to stop users from disabling security now! |
Beta Was this translation helpful? Give feedback.
-
@KateCatlin (tagging you since this is your thread, but feel free to tell me I'm wrong) - I love this feature and recommend it to clients a lot. HOWEVER I feel like the filtering is broken. I reproduced it in a test org I've got, where I applied a filter for archived=false and visibility != public, and well... the image speaks for itself: I also tried this with the filter flipped (archived = false, visiblity = [private, internal] and got public repos back as well. This can be reproduced in multiple orgs, and testing additional configurations of the visibility filter produces bugged results as well (for example, visibility != [public, internal] shows this: Thanks! |
Beta Was this translation helpful? Give feedback.
-
Just out of curioisity, is there plans to make CODEQL as a required check or if CodeQL finds a vuln that it prevents the PR from being merged. bascially adding more grandualr rules at the global level for prevetion. |
Beta Was this translation helpful? Give feedback.
-
Hey @KateCatlin - me again! :) Is there a known issue/limitation with attaching configurations to archived repositories? We are working on enabling GHAS for a client, and ran into an interesting behavior that we were able to reproduce in a test organization. tl;dr - we cannot apply configurations to archived repositories using the UI, and this seems to mess something up on the backend when you do try. We applied a configuration to an internal archived repository using only the API, and that went perfectly. It showed in the UI almost immediately after running the curl to apply it. We then went to the UI and tried to apply a configuration to a 2nd internal archived repository, and the UI hung with the blue banner stating it was updating the configuration for a couple of minutes. On page refresh, the blue banner is gone, but there's no sign that the configuration was applied. In fact, looking at the repository settings we can see that the configuration was not applied. So we decided to try to use the API to apply the configuration (thinking it might just be a UI bug) and the API call came back fine. That was now 15 minutes ago, and there's still nothing indicating that the configuration was applied. We re-ran the API, and received a 200 response, same behavior though (configuration not getting applied). Just for fun, we tried to attach the 2 archived repos to a different configuration using the API, and neither of them moved to the different configuration either (confirmed via API and UI). Thanks! |
Beta Was this translation helpful? Give feedback.
-
Beta Was this translation helpful? Give feedback.
-
💬 Your Product Feedback Has Been Submitted 🎉 Thank you for taking the time to share your insights with us! Your feedback is invaluable as we build a better GitHub experience for all our users. Here's what you can expect moving forward ⏩
Where to look to see what's shipping 👀
What you can do in the meantime 💻
As a member of the GitHub community, your participation is essential. While we can't promise that every suggestion will be implemented, we want to emphasize that your feedback is instrumental in guiding our decisions and priorities. Thank you once again for your contribution to making GitHub even better! We're grateful for your ongoing support and collaboration in shaping the future of our platform. ⭐ |
Beta Was this translation helpful? Give feedback.
-
I have quite a few customers are requesting to support below use case:
|
Beta Was this translation helpful? Give feedback.
-
Hi all–I'm going to close this issue down but thank you all so much for the amazing feedback over all this time! You really helped us make this product great! And feel free to create new ones for feedback about individual issues with code security configurations going forward, tagging @jenschelkopf henceforth! |
Beta Was this translation helpful? Give feedback.
-
What's new?
We're excited to announce the launch of our latest feature, security configurations! We're eager to hear what you think!
With this feature, you can:
What's next?
This release marks the beginning of our public beta phase!
There's still more to come before we officially roll out the feature. Now is the perfect time for your feedback to help us shape its future 🎉 🚀
Let's talk!
Got questions, comments, concerns, or just want to share some kudos? We're all ears! Your input matters, so let's start a conversation and make this feature even better together.
Beta Was this translation helpful? Give feedback.
All reactions