Recommendations
All best-practice recommendations evaluated by GitHub Quick Review (ghqr)
GitHub Quick Review (ghqr) evaluates your GitHub resources against the following best-practice recommendations. Each recommendation has a stable ID, scope, category, and severity level.
Recommendations are grouped by scope:
- repository - Evaluated against each scanned repository
- organization - Evaluated against each scanned organization
- enterprise - Evaluated against a GitHub Enterprise Cloud tenant
- ghes - Evaluated against a GitHub Enterprise Server appliance
Severity levels range from critical (immediate risk) to info (informational observation). See the Overview for a full description of severity levels.
| ID | Scope | Category | Severity | Title |
|---|---|---|---|---|
| ent-alert-001 | enterprise | dependencies | critical | Critical Dependabot alerts open across enterprise |
| ent-alert-002 | enterprise | dependencies | high | High-severity Dependabot alerts open across enterprise |
| ent-alert-003 | enterprise | security | high | Code scanning alerts open across enterprise |
| ent-alert-004 | enterprise | security | critical | Secret scanning alerts open across enterprise |
| ent-budget-001 | enterprise | budget | critical | No billing budgets configured |
| ent-budget-002 | enterprise | budget | high | No budgets have alerting enabled |
| ent-budget-003 | enterprise | budget | medium | Budgets without usage prevention when exceeded |
| ent-ghas-001 | enterprise | security | high | GitHub Advanced Security not enabled at enterprise level |
| ent-ghas-002 | enterprise | security | high | Secret scanning not enabled as enterprise default |
| ent-ghas-003 | enterprise | security | high | Secret scanning push protection not enabled as enterprise default |
| ent-ghas-004 | enterprise | dependencies | high | Dependabot alerts not enabled as enterprise default |
| ent-ghas-005 | enterprise | dependencies | medium | Dependabot security updates not enabled as enterprise default |
| ent-ghas-006 | enterprise | dependencies | medium | Dependency graph not enabled as enterprise default |
| ent-ghas-007 | enterprise | security | low | Secret scanning for non-provider patterns not enabled as enterprise default |
| ent-log-001 | enterprise | security | critical | Suspicious audit log events detected |
| ent-log-002 | enterprise | security | high | Audit log streaming configuration cannot be verified |
| ghes-actions-001 | ghes | actions | medium | GitHub Actions is not enabled on the GHES instance |
| ghes-actions-002 | ghes | actions | info | GitHub Actions is enabled on the GHES instance |
| ghes-actions-003 | ghes | actions | info | GitHub Actions status could not be confirmed on this GHES instance |
| ghes-audit-001 | ghes | security | critical | Suspicious audit log events detected |
| ghes-audit-002 | ghes | security | info | No suspicious audit log events detected |
| ghes-auth-001 | ghes | ghes_authentication | high | Password authentication is enabled on the GHES instance |
| ghes-auth-002 | ghes | ghes_authentication | critical | GHES is using built-in authentication instead of an external identity provider |
| ghes-auth-003 | ghes | ghes_authentication | info | GHES authentication mode observed |
| ghes-auth-004 | ghes | ghes_authentication | high | Open signup is enabled on the GHES instance |
| ghes-auth-005 | ghes | ghes_authentication | medium | High percentage of GHES users are suspended |
| ghes-infra-001 | ghes | ghes_infrastructure | medium | Administrative SSH access is enabled on the GHES instance |
| ghes-infra-002 | ghes | ghes_infrastructure | info | GHES management settings could not be read; configuration checks were skipped |
| ghes-infra-003 | ghes | security | high | Audit log forwarding configuration cannot be verified automatically |
| ghes-infra-004 | ghes | ghes_infrastructure | high | GHES backup configuration cannot be verified automatically |
| ghes-infra-005 | ghes | ghes_infrastructure | medium | High availability (HA) replica configuration cannot be verified automatically |
| ghes-infra-006 | ghes | security | high | GHES signing key rotation status cannot be verified automatically |
| ghes-license-001 | ghes | ghes_license | high | GHES license is expiring soon |
| ghes-license-002 | ghes | ghes_license | high | GHES license seat utilisation is high |
| ghes-license-003 | ghes | ghes_license | info | GHES license seat utilisation summary |
| ghes-license-004 | ghes | ghes_license | info | GHES license is unlimited |
| ghes-license-005 | ghes | ghes_license | critical | GHES license expires within 30 days |
| ghes-net-001 | ghes | ghes_networking | critical | Subdomain isolation is not enabled |
| ghes-net-002 | ghes | ghes_networking | critical | Private mode is disabled |
| ghes-net-003 | ghes | ghes_networking | medium | Public GitHub Pages are enabled on the GHES instance |
| ghes-net-004 | ghes | ghes_networking | critical | GitHub Pages is enabled while subdomain isolation is disabled |
| ghes-sec-001 | ghes | security | high | GitHub Advanced Security (GHAS) is not enabled on the GHES instance |
| ghes-sec-002 | ghes | security | high | Secret scanning is not enabled on the GHES instance |
| ghes-sec-003 | ghes | security | info | Secret scanning status could not be confirmed on this GHES instance |
| ghes-sec-004 | ghes | security | high | Secret scanning push protection is not enabled |
| ghes-sec-005 | ghes | security | high | Code scanning is not enabled on the GHES instance |
| ghes-sec-006 | ghes | security | info | Code scanning status could not be confirmed on this GHES instance |
| ghes-sec-007 | ghes | dependencies | critical | Critical Dependabot alerts open across the GHES instance |
| ghes-sec-008 | ghes | dependencies | high | High-severity Dependabot alerts open across the GHES instance |
| ghes-sec-009 | ghes | security | high | Code scanning alerts open across the GHES instance |
| ghes-sec-010 | ghes | security | critical | Secret scanning alerts open across the GHES instance |
| ghes-sec-011 | ghes | dependencies | high | Dependabot alerts are not enabled on the GHES instance |
| ghes-sec-012 | ghes | dependencies | info | Dependabot alerts status could not be confirmed on this GHES instance |
| ghes-sec-013 | ghes | dependencies | medium | Dependabot security updates are not enabled on the GHES instance |
| ghes-sec-014 | ghes | dependencies | info | Dependabot alerts API could not be confirmed on this GHES instance |
| ghes-sec-015 | ghes | security | info | Code scanning alerts API could not be confirmed on this GHES instance |
| ghes-sec-016 | ghes | security | info | Secret scanning alerts API could not be confirmed on this GHES instance |
| ghes-server-001 | ghes | ghes_server | info | GHES instance version detected |
| ghes-server-002 | ghes | ghes_server | info | GHES version is within the supported release window |
| ghes-server-003 | ghes | ghes_server | high | GHES version is no longer in support |
| ghes-server-004 | ghes | ghes_server | medium | GHES version string could not be parsed |
| ghes-server-005 | ghes | ghes_server | medium | GHES server version could not be determined |
| ghes-server-006 | ghes | ghes_server | high | GHES instance is currently in maintenance mode |
| ghes-stats-001 | ghes | ghes_server | info | GHES user population summary |
| ghes-stats-002 | ghes | ghes_server | info | GHES organization summary |
| ghes-stats-003 | ghes | ghes_server | info | GHES repository summary |
| ghes-stats-004 | ghes | ghes_server | low | Disabled organisations present on the GHES instance |
| ghes-stats-005 | ghes | access_control | high | High number of site administrators on the GHES instance |
| org-act-001 | organization | actions | high | Default GITHUB_TOKEN permission is write |
| org-act-002 | organization | actions | high | GitHub Actions allows all third-party actions |
| org-act-003 | organization | actions | low | Actions restricted to local repositories only |
| org-alert-001 | organization | dependencies | critical | Critical Dependabot alerts open across organization |
| org-alert-002 | organization | dependencies | high | High-severity Dependabot alerts open across organization |
| org-alert-003 | organization | dependencies | medium | Open Dependabot alerts across organization |
| org-alert-004 | organization | security | high | Code scanning alerts open across organization |
| org-alert-005 | organization | security | critical | Secret scanning alerts open across organization |
| org-cop-001 | organization | copilot_cost | medium | Copilot seats assigned to all organization members |
| org-cop-002 | organization | copilot_security | high | Copilot allowed to suggest code matching public repositories |
| org-cop-003 | organization | copilot_cost | medium | High percentage of inactive Copilot seats |
| org-def-001 | organization | dependencies | high | Dependabot alerts not enabled by default for new repositories |
| org-def-002 | organization | dependencies | medium | Dependabot security updates not enabled by default for new repositories |
| org-def-003 | organization | dependencies | medium | Dependency graph not enabled by default for new repositories |
| org-def-004 | organization | security | high | Secret scanning not enabled by default for new repositories |
| org-def-005 | organization | security | high | Secret scanning push protection not enabled by default for new repositories |
| org-def-006 | organization | security | medium | GitHub Advanced Security not enabled by default for new repositories |
| org-sec-001 | organization | security | high | Two-factor authentication not required |
| org-sec-002 | organization | security | medium | Web commit signoff not required |
| org-sec-003 | organization | access_control | high | Default repository permission set to admin |
| org-sec-004 | organization | access_control | medium | Members can create public repositories |
| org-sec-005 | organization | access_control | medium | No security manager team assigned |
| org-sec-006 | organization | security | info | EMU enabled: two-factor authentication is controlled by your identity provider |
| repo-acc-001 | repository | access_control | high | Excessive admin collaborators |
| repo-acc-002 | repository | access_control | medium | Direct collaborators instead of teams |
| repo-acc-003 | repository | security | high | Deploy keys with write access |
| repo-acc-004 | repository | security | medium | Unverified deploy keys |
| repo-acc-005 | repository | security | medium | Deploy keys present — consider GitHub Apps or OIDC |
| repo-bp-001 | repository | branch_protection | critical | No branch protection configured on default branch |
| repo-bp-002 | repository | branch_protection | critical | No approving reviews required before merge |
| repo-bp-003 | repository | branch_protection | medium | Only 1 approving review required |
| repo-bp-004 | repository | branch_protection | high | Stale reviews not dismissed on new commits |
| repo-bp-005 | repository | branch_protection | medium | Code owner review not required |
| repo-bp-006 | repository | branch_protection | critical | Pull request reviews not configured |
| repo-bp-007 | repository | branch_protection | high | Strict status checks not enabled |
| repo-bp-008 | repository | branch_protection | high | No specific status checks required |
| repo-bp-009 | repository | branch_protection | high | No required status checks configured |
| repo-bp-010 | repository | branch_protection | critical | Force pushes allowed on protected branch |
| repo-bp-011 | repository | branch_protection | high | Branch deletion allowed on protected branch |
| repo-bp-012 | repository | branch_protection | medium | Signed commits not required |
| repo-bp-013 | repository | branch_protection | low | Linear history not required |
| repo-bp-014 | repository | branch_protection | info | Branch protected by repository rulesets (not legacy branch protection) |
| repo-comm-001 | repository | community | info | GitHub Discussions not enabled |
| repo-feat-001 | repository | features | low | Issues and Discussions both disabled |
| repo-feat-002 | repository | maintenance | low | Auto-delete branches on merge not enabled |
| repo-meta-001 | repository | community | medium | Repository has no description |
| repo-meta-002 | repository | community | low | Repository has no topics |
| repo-meta-003 | repository | maintenance | low | Repository appears dormant but is not archived |
| repo-sec-001 | repository | security | high | Dependabot alerts not enabled |
| repo-sec-002 | repository | security | critical | Critical Dependabot alerts open |
| repo-sec-003 | repository | security | high | High-severity Dependabot alerts open |
| repo-sec-004 | repository | security | low | No SECURITY.md file found |
| repo-sec-005 | repository | access_control | medium | No CODEOWNERS file found |
| repo-sec-006 | repository | security | medium | Dependabot alerts enabled but no dependabot.yml found |
| repo-sec-007 | repository | security | high | Dependabot not configured |
| repo-sec-008 | repository | security | high | Code scanning (CodeQL) not configured |
| repo-sec-009 | repository | security | info | No custom CodeQL configuration file |
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.