GitHub Advanced Security (GHAS) Checklist

Pre-requisites

[ ] Review the GHAS Kickoff Guide
[ ] Enable GitHub Advanced Security for your entire organization. Take advantage of layered Security Configurations to target all or select repositories for Dependabot SCA, Secret Scanning, Push Protections, CodeQL and more.

[ ] Explore your CodeQL Code Scanning + Secret Scanning results at the repository level or Security Overview organization level.
[ ] Test out CodeQL in a Pull Request.
[ ] Check out the organization Security Overview dashboard to get a comprehensive view of your security tooling adoption risk, alerts, and select metrics.
[ ] Give your security team the appropriate privileges they need to the organization by assigning their team the Security Manager Role.
[ ] Setup discussions with developers and engineers to review GHAS scan results, ideal developer flow, and integrations.

[ ] Test out code scanning alert Autofix powered by GitHub Copilot and CodeQL
[ ] Test removing unwanted Code Scanning or Secret Scanning Alerts to a "Closed" state by marking as "Used in tests", etc.
[ ] Configure code scanning pull request checks and repository rules (if you would like to make CodeQL a required status check).
[ ] Test expanding your CodeQL queryset to include lower severity queries.
[ ] Test results of other SARIF-based SAST tools directly within the GitHub GHAS user experience. Ex. Container Scanning with Anchore from the GitHub Marketplace.
[ ] If you are using the advanced setup customize your codeql-analysis.yml workflow to avoid unnecessary scans, etc.

[ ] You can use secret scanning to prevent supported secrets from being pushed into your organization or repository by enabling push protection.
[ ] Test custom patterns for secret scanning (examples of custom secret scanning patterns).
[ ] Enable Validity Checks for Secret Scanning. Once enabled, GitHub will periodically check the validity of a detected credential by sending the secret directly to the provider, as part of GitHub's formal secret scanning partnership program.
[ ] Generate regular expressions for custom patterns with AI
[ ] Use AI to detect generic secrets

[ ] Utilize Dependency Review Enforcement. The action scans for vulnerable versions of dependencies or blocked open source licenses introduced in pull requests, and warns you about the associated security vulnerabilities.

[ ] Get detailed GHAS Metrics Dashboard in your SIEM Solution: Splunk, Azure Sentinel, Datadog, Sumologic, Elastic + Brinqa, Kenna Security, Nucleus, Threadfix + Any SIEM Integration Guide
[ ] Leverage the Official Jira Integration to automatically synchronize the status of GHAS Alerts with Security in Jira.
[ ] GitHub Advanced Security API to CSV is a "simple GitHub Action to scrape the GitHub Advanced Security API and shove it into a CSV".
[ ] Sarif Viewer for Visual Studio Code and Sarif-viewer for JetBrains IDEs enable viewing Code Scanning results in a dedicated SARIF results panel in the IDE.
[ ] Use the Parallel Code Scanning Action to parallelize the code scans of interpreted language monorepos by splitting the scanning work into various parallel jobs which will individually analyze only a subset of the files in the repository.
[ ] Define "Policy-as-Code" with the Advanced Security Compliance GitHub Action. Advanced Security Compliance allows users to configure yaml based risk thresholds for security issues reported by GitHub Code Scanning, Secret Scanning and Dependabot Security. Create policies for open source dependency license usage, specific CodeQL rule blocks, time to remediation and more.
[ ] Test out GHAS PR Notifications. A GitHub App that demonstrates how to add detailed code scanning comments to Pull Requests and track closed findings.
[ ] Create Slack Notifications for Code Scanning Results