A GitHub CLI extension to create and apply security configurations across many organizations in a GitHub Enterprise.
Note
This extension is intended for GitHub Enterprise Server (GHES) 3.15 and currently only supports configuring GitHub Advanced Security and Secret Scanning features as part of a security configuration. For GHES 3.16+ and GitHub Enterprise Cloud (GHEC) it's recommended to use Enterprise Security Configurations instead of this solution.
- GitHub CLI
- GitHub Advanced Security licenses and availability in your organizations.
- Confirm that you are authenticated with an account that has access to the enterprise and organizations you would like to interact with. You can check your authentication status by running:
gh auth status
Ensure that you have the necessary scopes (read:enterprise and admin:org). You can add scopes by running:
gh auth login -s "read:enterprise,admin:org"
Important
Enterprise admins do not inherently have access to all of the organizations in the enterprise. You must ensure that your account has the necessary permissions to access the organizations you want to modify. To elevate your permissions for an organization, refer to these GitHub docs.
To install this extension, run the following command:
gh extension install CallMeGreg/gh-security-config
The extension provides three main commands for managing security configurations across enterprise organizations:
generate- Create and apply new security configurations across organizationsdelete- Remove existing security configurations from organizationsmodify- Update existing security configurations across organizations
These flags are available on all commands:
--org-list string- Path to CSV file containing organization names to target (one per line, no header)--concurrency int- Number of concurrent requests (1-20, default: 1)
The generate command has additional flags:
--copy-from-org string- Organization name to copy an existing configuration from--force- Force deletion of existing configurations with the same name before creating new ones
# Create a new security configuration interactively
gh security-config generate
# Delete a security configuration interactively
gh security-config delete
# Modify a security configuration interactively
gh security-config modifyBy default, all commands target every organization in the specified enterprise. You can limit the scope using the --org-list flag:
- CSV Format: Create a CSV file with one organization name per line (no header row required)
- Example CSV: See example-organizations.csv for the correct format
- Error Handling: If an organization from the CSV is not found or accessible, the tool will show a warning and continue with other organizations
The --copy-from-org flag allows you to copy an existing security configuration from one organization and apply it to other organizations in your enterprise. This is useful for:
- Standardizing configurations: Copy a well-tested configuration across multiple organizations
- Quick setup: Avoid recreating similar configurations from scratch
- Configuration migration: Move configurations between organizations
- Source Organization Access: You must be an owner of the source organization to copy configurations
- Configuration Selection: Choose from available security configurations in the source organization
- Settings Review: Review the configuration details that will be copied
- Target Filtering: The source organization is automatically excluded from target organizations to prevent self-copying
Note
When using --copy-from-org, you can still customize the repository attachment scope and default setting for the target organizations, even though the security settings themselves are copied from the source.
All commands support concurrent requests using the --concurrency flag to improve performance when working with many organizations.
- Default:
1(sequential processing, maintains existing behavior) - Range:
1-20(validated to prevent excessive API usage) - Usage: Available on all commands (
generate,delete,modify)
- Faster Execution: Significantly reduces total processing time for large numbers of organizations
- Configurable: Choose concurrency level based on your needs and environment
- Progress Tracking: Real-time progress updates work seamlessly with concurrent processing
Warning
Rate Limiting Considerations: Setting concurrency higher than 1 increases the likelihood of encountering GitHub's secondary rate limits. To avoid rate limiting issues, consider exempting the user from rate limits.
The extension will guide you through:
- Enterprise Setup: Enter your GitHub Enterprise slug and server URL (if using GitHub Enterprise Server)
- Configuration Selection: Specify the name of the security configuration to delete
- Confirmation: Review the operation summary and confirm deletion (defaults to cancel for safety)
Warning
The delete operation will remove the specified security configuration from ALL organizations in the enterprise. This action cannot be undone. Repositories will retain their security settings but will no longer be associated with the configuration.
The extension will guide you through:
- Enterprise Setup: Enter your GitHub Enterprise slug and server URL (if using GitHub Enterprise Server)
- Configuration Selection: Specify the name of the security configuration to modify
- Current Settings Display: View the current configuration settings and description
- Settings Update: Interactively update each security setting with options to keep current values
- Confirmation: Review the changes and confirm modification before execution
Note
The modify operation will update the specified security configuration across ALL organizations in the enterprise where it exists. Organizations without the configuration will be skipped.
The extension allows you to set the following features within the security configuration:
| Setting | Description | Options |
|---|---|---|
| GitHub Advanced Security | The enablement status of GitHub Advanced Security | enabled, disabled |
| Secret Scanning | Detect secrets in code | enabled, disabled, not_set |
| Secret Scanning Push Protection | Block commits with secrets | enabled, disabled, not_set |
| Secret Scanning Non-Provider Patterns | Scan for non-provider patterns | enabled, disabled, not_set |
| Enforcement | Restrict setting changes at the repository level | enforced, unenforced |
When attaching configurations to repositories, you can choose:
- all: Apply to all repositories in the organization
- public: Apply only to public repositories
- private_or_internal: Apply only to private and internal repositories
To build the extension locally:
go build -o gh-security-configTo run the extension locally:
./gh-security-config --help- Fork the repository
- Make your changes
- Submit a pull request
This tool is licensed under the MIT License.