Home GitHub Advanced Security Permissions Chart
Post
Cancel

GitHub Advanced Security Permissions Chart

Overview

I have several posts discussing GitHub Advanced Security, but practically a question that I get often is: “Who can access the alerts on each repository?”

I hope to solve that with this permissions / access requirements chart!

See also: GitHub Advanced Security Feature Comparison

Access requirements for security features

This chart is loosely based on the one from GitHub, with a few additions, modifications, and clarifications.

Notes:

  • [1] Repository writers and maintainers can only see alert information for their own commits
  • [2] At the enterprise security overview level, you would only see organizations that you are added as an org owner or security manager
  • [3] Security managers get read-only access to every repository in the organization
  • This chart primarily focuses on GitHub Advanced Security in GitHub Enterprise Cloud

Granting access to security alerts

Security alerts for a repository are visible to people with admin access to the repository and, when the repository is owned by an organization, organization owners. You can also give additional teams and people access to the alerts.

When adding users to be able to view security alerts, there is a bit of text that explains (emphasis mine):

Admins, users, and teams in the list below have permission to view and manage code scanning, Dependabot, or secret scanning alerts. These users may be notified when a new vulnerability is found in one of this repository’s dependencies and when a secret or key is checked in. They will also see additional details when viewing Dependabot security updates. Individuals can manage how they receive these alerts in their notification settings.

Note: Organization owners and repository administrators can only grant access to view security alerts, such as secret scanning alerts, to people or teams who have write access to the repo.

Custom Repository Roles

Organization administrators can create Custom Repository Roles to customize and fine-tune different permission sets that repository administrators can grant. For example, I want to create a role that allows users to have Write access AND be able to view/dismiss Dependabot Alerts:

Custom Repository Roles Custom repository roles - creating a custom role to allow viewing/managing of Dependabot alerts

Changelog

DateNote
Mar 11 2021Adding section about security alerts
Mar 08 2021Initial post
This post is licensed under CC BY 4.0 by the author.

Docker Container Jobs in GitHub Actions

Ignore Files in GitHub CodeQL Analysis