Description
Individual alerts are useful. Coordinated remediation across an entire codebase is powerful. Security campaigns let you group related alerts, set deadlines, and track remediation progress — turning a wall of alerts into a structured plan that a team can execute.
Important: Security campaigns require a GitHub Team plan (or higher) with a Code Security license at the organization level. This is an organization-level feature, not a repository-level one. If you have the right access, you'll create a real campaign. If you don't, you'll document how campaigns work and how you'd set one up — that understanding is still valuable.
This is how security gets done at scale. Not one alert at a time, but as a coordinated effort with deadlines and accountability.
Objectives
- Navigate to your organization's Security Overview (Security tab at org level)
- Create a security campaign scoping relevant alerts
- Set a campaign name, description, and due date
- Track remediation progress within the campaign
- If org-level access is unavailable: document the campaign setup process and how you would configure it
Success Criteria
- Security Overview accessed at the organization level
- Security campaign created with a descriptive name and due date
- At least 5 code scanning alerts included in the campaign scope
- Campaign progress tracked (alerts triaged, assigned, or fixed)
- OR if org access unavailable: written documentation of how security campaigns would be set up, including scope selection, timeline, and tracking workflow
Learning Resources