Domain 7: Configure GitHub Advanced Security tools in GitHub Enterprise (10%) โ
โ Domain 6 ยท Cheatsheet โ
Exam Tip
This domain covers enterprise-level features. You need to know how Security Overview tracks metrics natively, and what enterprise policies can be applied across organizations.
Security Overview โ
The Security Overview dashboard provides a consolidated view of all GHAS feature status and alerts across an organization or enterprise.
What Security Overview Shows โ
- Which repositories have each GHAS feature enabled (secret scanning, code scanning, Dependabot)
- Alert counts by severity across all repositories
- Open vs. closed/fixed alert trends over time
- Repositories with the most open critical alerts (risk exposure ranking)
Who Can Access Security Overview โ
| Role | Level |
|---|---|
| Security managers | Organization-level overview |
| Organization owners | Organization-level overview |
| Enterprise owners | Enterprise-wide overview across all organizations |
Navigate to: Organization or Enterprise โ Security tab โ Overview
Using Security Overview for Prioritization โ
- Filter by severity: Focus on Critical and High alerts first
- Filter by feature: Identify repositories with code scanning disabled
- Sort by alert count: Find the repositories with the highest vulnerability debt
- Track trends: Confirm that alert counts are decreasing over time (remediation is working)
Metrics and Reporting โ
Key GHAS Metrics to Track โ
| Metric | What it measures |
|---|---|
| Mean Time to Remediate (MTTR) | Average time from alert creation to resolution |
| Alert volume by severity | Total open alerts per severity level |
| Fix rate | % of alerts resolved vs. dismissed vs. open |
| Feature coverage | % of repositories with each GHAS feature enabled |
| New alerts per week | Rate of new vulnerabilities being introduced |
GitHub Advisory Database โ
- GitHub's vulnerability database powers Dependabot alerts
- Contains: CVEs from NVD + GitHub-curated advisories (GitHub Security Advisories)
- Organization security teams can also submit private security advisories for their own repositories
Enterprise Policies โ
Enterprise owners can enforce GHAS policies across all organizations within the enterprise.
Enforcing Features โ
- Enable Secret Scanning for all new organizations
- Enable Push Protection by default across all organizations
- Set Custom Patterns at the enterprise level, making them available to all orgs and repos automatically
- Standardize security manager access so the right teams can view and triage alerts centrally
Enforcing these at the enterprise level disables the ability for organization owners to turn them off, ensuring compliance.
Enterprise Configuration Model โ
| Scope | Typical use |
|---|---|
| Enterprise | Set default policy, reporting visibility, and shared patterns across organizations |
| Organization | Roll out features to selected repositories and delegate security managers |
| Repository | Fine-tune workflows, required checks, and remediation operations |
TIP
For exam scenarios, choose the highest scope that matches the requirement. If the requirement says "across all organizations" or "enterprise-wide visibility," the answer is usually an enterprise-level control.
Security Managers and Delegated Access โ
Enterprise and organization admins do not need to do all alert triage themselves.
- Security managers can review and manage security findings without needing broad admin rights everywhere
- This is useful when central AppSec teams need access to alerts across many repositories
- It supports separation of duties: platform admins configure GHAS, security managers triage, developers remediate
Enterprise Exam Scenarios โ
| Scenario | Best answer direction |
|---|---|
| Need one dashboard across many orgs | Enterprise Security Overview |
| Need a secret pattern reused everywhere | Enterprise-level custom pattern |
| Need repo maintainers to keep local workflow flexibility | Set policy at org/enterprise, keep remediation in the repo |
| Need consistent enforcement for PR checks | Use rulesets or required checks centrally where possible |
Domain 7 Quick Quiz
Who can access Security Overview at the organization level?
(Click to reveal)