Duration: 2 hours
Level: Basic
Prerequisites:
- Completed Module 01
- GitHub account with admin access to a repository
- Basic understanding of Git and GitHub
By the end of this module, you will:
- Understand GitHub Advanced Security (GHAS) components
- Enable and configure GHAS features
- Configure Dependabot for automated dependency updates
- Set up code scanning with CodeQL
- Implement secret scanning and push protection
- Create security policies for your repository
- Introduction to GHAS
- Enabling GitHub Advanced Security
- Dependabot Configuration
- Code Scanning with CodeQL
- Secret Scanning
- Security Policies
- Exercises
GitHub Advanced Security (GHAS) provides a comprehensive suite of security features that help you find, fix, and prevent security vulnerabilities in your code.
graph TB
subgraph "GitHub Advanced Security"
A[Code Scanning] --> E[Security Overview]
B[Secret Scanning] --> E
C[Dependency Review] --> E
D[Security Policies] --> E
end
subgraph "Free Security Features"
F[Dependabot Alerts]
G[Dependabot Updates]
H[Security Advisories]
end
style E fill:#6f9,stroke:#333,stroke-width:2px
-
Code Scanning
- Static Application Security Testing (SAST)
- Powered by CodeQL
- Supports multiple languages
- Custom queries available
-
Secret Scanning
- Detects tokens and credentials
- Push protection prevents commits
- Partner program for automatic revocation
- Custom patterns support
-
Dependency Review
- Vulnerability detection in dependencies
- License compliance checking
- Pull request integration
- Actionable fix suggestions
GHAS is available for:
- GitHub Enterprise Cloud
- GitHub Enterprise Server 3.0+
- Public repositories (free)
- 30-day trial for private repositories
sequenceDiagram
participant User
participant Repo Settings
participant GHAS
participant Security Tab
User->>Repo Settings: Navigate to Settings
Repo Settings->>User: Show Security & analysis
User->>GHAS: Enable Advanced Security
GHAS->>Security Tab: Features activated
Security Tab->>User: Configuration options available
Navigate to your repository and follow these steps:
- Go to Settings → Security & analysis
- Under "GitHub Advanced Security", click Enable
- Configure individual features as needed
Dependabot helps you keep dependencies secure and up-to-date by:
- Monitoring for vulnerabilities
- Creating pull requests for updates
- Providing security updates
- Supporting multiple package ecosystems
Create .github/dependabot.yml:
# Dependabot configuration file
version: 2
updates:
# Enable version updates for npm
- package-ecosystem: "npm"
directory: "/"
schedule:
interval: "weekly"
day: "monday"
time: "04:00"
open-pull-requests-limit: 10
reviewers:
- "security-team"
labels:
- "dependencies"
- "security"
commit-message:
prefix: "npm"
include: "scope"
# Enable version updates for Docker
- package-ecosystem: "docker"
directory: "/"
schedule:
interval: "weekly"
reviewers:
- "ops-team"
# Enable version updates for GitHub Actions
- package-ecosystem: "github-actions"
directory: "/"
schedule:
interval: "weekly"
commit-message:
prefix: "ci"Enable automatic security updates:
- Go to Settings → Security & analysis
- Enable Dependabot security updates
- Configure auto-merge for patches (optional)
CodeQL is GitHub's semantic code analysis engine that helps find security vulnerabilities.
Create .github/workflows/codeql.yml:
name: "CodeQL"
on:
push:
branches: [ main, develop ]
pull_request:
branches: [ main ]
schedule:
- cron: '30 1 * * 0'
jobs:
analyze:
name: Analyze
runs-on: ubuntu-latest
permissions:
actions: read
contents: read
security-events: write
strategy:
fail-fast: false
matrix:
language: [ 'javascript', 'python' ]
steps:
- name: Checkout repository
uses: actions/checkout@v3
- name: Initialize CodeQL
uses: github/codeql-action/init@v2
with:
languages: ${{ matrix.language }}
queries: security-extended
- name: Autobuild
uses: github/codeql-action/autobuild@v2
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v2
with:
category: "/language:${{matrix.language}}"graph LR
A[Code Push] --> B[CodeQL Scan]
B --> C{Vulnerabilities Found?}
C -->|Yes| D[Create Alert]
C -->|No| E[Pass]
D --> F[Developer Review]
F --> G{Valid Issue?}
G -->|Yes| H[Fix Code]
G -->|No| I[Dismiss Alert]
H --> A
- Navigate to Settings → Security & analysis
- Enable Secret scanning
- Enable Push protection (recommended)
Create custom patterns for organization-specific secrets:
# Example custom pattern for API keys
name: "Custom API Key"
pattern: |
(?i)(?:api[_-]?key|apikey)[[:space:]]*[:=][[:space:]]*['"]?([a-z0-9]{32,64})['"]?GitHub partners automatically revoke exposed tokens:
- AWS
- Azure
- Google Cloud
- Slack
- npm
- PyPI
- And many more...
Create SECURITY.md in your repository:
# Security Policy
## Supported Versions
| Version | Supported |
| ------- | ------------------ |
| 5.1.x | :white_check_mark: |
| 5.0.x | :x: |
| 4.0.x | :white_check_mark: |
| < 4.0 | :x: |
## Reporting a Vulnerability
We take security seriously. If you discover a vulnerability:
1. **Do not** open a public issue
2. Email security@yourcompany.com with:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
## Response Timeline
- **Acknowledgment**: Within 48 hours
- **Initial Assessment**: Within 5 business days
- **Resolution Target**: Within 30 days for critical issues
## Security Measures
This project implements:
- Automated dependency scanning
- Code security analysis
- Secret scanning
- Regular security audits
## Recognition
We maintain a [Security Hall of Fame](./SECURITY_HALL_OF_FAME.md) for responsible disclosures.Objective: Activate GHAS trial for your repository
- Create a new private repository
- Navigate to Settings → Security & analysis
- Enable GitHub Advanced Security trial
- Document the features that become available
- Take screenshots for your learning journal
Deliverable: exercises/01-ghas-activation.md with screenshots
Objective: Set up comprehensive Dependabot configuration
- Create a sample Node.js project:
mkdir secure-demo-app
cd secure-demo-app
npm init -y
npm install express lodash@4.17.20 axios@0.21.0-
Create
package.jsonwith known vulnerable versions -
Create
.github/dependabot.ymlwith:- Weekly updates for npm
- Security updates enabled
- Custom labels and reviewers
-
Push to GitHub and observe Dependabot behavior
Deliverable: Repository with working Dependabot configuration
Objective: Set up multi-language CodeQL scanning
-
Create a mixed-language repository with:
- JavaScript files
- Python files
- SQL files
-
Add vulnerable code examples:
// Vulnerable JavaScript (SQL Injection)
app.get('/user/:id', (req, res) => {
const query = `SELECT * FROM users WHERE id = ${req.params.id}`;
db.query(query, (err, results) => {
res.json(results);
});
});# Vulnerable Python (Command Injection)
import os
def process_file(filename):
os.system(f"cat {filename}")- Configure CodeQL workflow
- Run analysis and review results
Deliverable: Repository with CodeQL findings and fix commits
Objective: Test secret scanning and push protection
- Enable secret scanning and push protection
- Create a test file with a fake AWS key:
# test-secrets.txt
AWS_ACCESS_KEY_ID=AKIAIOSFODNN7EXAMPLE
AWS_SECRET_ACCESS_KEY=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY- Attempt to commit and push
- Document the push protection behavior
- Create custom pattern for your organization
Deliverable: Documentation of secret scanning behavior
Objective: Create organization-wide security visibility
-
Navigate to your organization's Security tab
-
Review the Security Overview dashboard
-
Document:
- Number of alerts by type
- Severity distribution
- Repository risk scores
- Trends over time
-
Create a security improvement plan based on findings
-
Export data for reporting
Deliverable: exercises/05-security-overview-report.md
- GHAS provides comprehensive security coverage for your code
- Dependabot automates dependency management
- CodeQL finds complex security vulnerabilities
- Secret scanning prevents credential exposure
- Security policies establish clear communication channels
- ✅ Enabling and configuring GHAS
- ✅ Setting up Dependabot for multiple ecosystems
- ✅ Implementing CodeQL scanning
- ✅ Configuring secret scanning and patterns
- ✅ Creating security policies
Before moving to the next module, ensure you have:
- Enabled GHAS trial on a repository
- Configured Dependabot for automatic updates
- Set up CodeQL scanning workflow
- Tested secret scanning and push protection
- Created a security policy
- Reviewed Security Overview dashboard
Continue to Module 03: Setting Up Your Security Environment where we'll build the complete development environment for our workshop.
Need Help? Check our Troubleshooting Guide or ask in Discussions.
| Previous | Up | Next |
|---|---|---|
| ← Module 01: Shift-Left Security | 📚 All Modules | Module 03: Environment Setup → |
Quick Links: 🏠 Home • 📖 Workshop Overview • 🛡️ Security FAQ