GitHub Advanced Security Kickoff

Welcome to GitHub Advanced Security!

This guide is intended to help you get started with GitHub Advanced Security.

Introduction to GitHub Advanced Security

GitHub Advanced Security (GHAS) is a suite of capabilities for improving your application security posture. GHAS expands upon the Dependabot Software Composition Analysis (SCA) tools you already have today by adding:

• Secret Scanning for Private Repositories
• Push Protection for Secret Scanning
• Code Scanning Platform
• CodeQL SAST Tool
• Security Overview provides birds eye view of all alerts, trends, coverage, and risk.
• Dependency Review allows you to block vulnerable dependencies in the pull request.
• SIEM Integration

This suite of security features is designed to give you comprehensive SAST, Secret Scanning, and SCA (supply chain security) coverage natively in GitHub with an emphasis on developer experience and automation.

Required Preparation

1. You will need a GitHub Org Admin for Org-wide GHAS + Secret Scanning Enablement.
2. If you have a security team, it's recommended to assign them the security manager role so they can view security overview.

The Plan: GHAS Getting Started

1. Utilize the organization security settings to rollout GHAS featureset
2. Enable Secret Scanning for organization
3. Configure Code Scanning on all some initial repos using either one-click default setup (automated) or advanced setup (yaml based).
4. Dive into the GHAS Checklist to explore the platform and tune GHAS to your business's needs.

Note: Optional: Software Composition Analysis (SCA) with Dependabot

Dependabot Platform Overview + Open Source Dependency License Management with Dependabot

1. Enable Dependency Graph for the organization
2. Enable Dependabot Alerts for organization

1+2: Turn on GitHub Advanced Security (GHAS) / Secret Scanning for entire Organization

Utilize the organization security settings to rollout GHAS featureset

• Organization Settings --> Code security and analysis --> GitHub Advanced Security --> Enable All
• Organization Settings --> Code security and analysis --> Secret Scanning --> Enable All
• Organization Settings --> Code security and analysis --> Push protection --> Enable All (will need to wait until initial secret scan completes)

NOTE: Alerts for leaked secrets will only be visible to those who have repository admins rights where the secret is found. Organization admins and security managers will be able to see the alerts from an organizational level in “security overview” as well as being able to see alerts at the repository level.

NOTE: All GHAS scanning tools (Code Scanning / Secret Scanning / Push Protections) can also be enabled/disabled per repository. Here is how to enable a feature for a selection of repositories.

3: Configure Code Scanning

Code scanning is a developer-first static application security testing (SAST) product that is built into GitHub. Once configured, it scans every code change in your repository for security vulnerabilities, and flags them in the developer workflow. This makes it easy to find security vulnerabilities in your code before they ever reach production.

Code scanning is powered by the CodeQL analysis engine to find potential vulnerabilities. Out of the box, Code Scanning includes hundreds of CodeQL queries written + open sourced by the GitHub Security Lab and leading security researchers to find potential vulnerabilities in your code with minimal configuration.

Getting Started with Code Scanning with CodeQL

The fastest way to start scanning with CodeQL is to follow the one-click default setup at scale guide

Another option is to go repository by repository with the advanced setup which creates a customizable GitHub Actions Workflow file in the repo with the CodeQL Action configured. You also have the option to run code scanning within your own CI system.

You can view, fix, and close alerts for potential vulnerabilities or errors directly within the repository. See Managing alerts from code scanning for more information on viewing existing alerts. Additionally, new alerts will be displayed for triage directly within Pull Requests.

Support for third party code scanning integrations

In addition to CodeQL analysis GitHub also supports analysis using third-party tools. These marketplace integrations range from additional SAST vendors to container scanning partners. ANY SAST tool that exports an industry standard SARIF file can be ingested directly into the GHAS Code Scanning platform.

Examples include

1. Container scanning with Anchore or Trivy from the GitHub Marketplace.

2. Infrastructure as Code with with tfsec.

4: GHAS Checklist

A curated checklist of things to explore in GitHub Advanced Security.