This guide is intended to help you get started with GitHub Advanced Security. Sections below cover a variety of topics, including:

• Introduction to GitHub Advanced Security
• Private Repository Secret Scanning
• Code Scanning
• Useful extensions to GitHub Advanced Security

GitHub Advanced Security is a suite of capabilities for improving the security posture of your code. At present, GitHub Advanced Security provides two capabilities in addition to the public repository secret scanning, dependency graph, security alerts, and automated security updates to which you already have access. They are:

• Private Repository Secret Scanning
• Code Scanning
• Dependency Review

• Achieving DecSecOps with GitHub Advanced Security: https://www.youtube.com/watch?v=hln5v7odguE
• Community Powered Security Analysis with CodeQL: https://githubuniverse.com/Community-powered-security-analysis-with-CodeQL/
• Catching Vulnerabilities Early with GitHub: https://githubuniverse.com/Catching-vulnerabilities-early-with-GitHub/
• So You Committed a Secret: https://githubuniverse.com/So-you-committed-a-secret/

When you push commits to a private repository with secret scanning enabled, GitHub scans the contents of the commits for secrets. Alerts are then sent to repository administrators and organization owners.

See the Documentation on how to configure Private Secret Scanning.

Please see this link: https://github.com/advanced-security/secret-scanning-custom-patterns

Code scanning is a developer-first static application security testing (SAST) product that is built into GitHub. Once configured, it scans every code change in your repository for security vulnerabilities, and flags them in the developer workflow. This makes it easy to find security vulnerabilities in your code before they ever reach production.

Code scanning is powered by the CodeQL analysis engine to find potential vulnerabilities. Out of the box, Code Scanning includes hundreds of CodeQL queries written + open sourced by the GitHub Security Lab and leading security researchers to find potential vulnerabilities in your code with minimal configuration.

The fastest way to get started with CodeQL is to follow this guide to onboard repositories. The guide will create a new GitHub Actions Workflow file with the CodeQL Action configured.

You can view, fix, and close alerts for potential vulnerabilities or errors directly within the repository. See Managing alerts from code scanning for more information on viewing alerts. Additionally, alerts will be displayed directly within a Pull Request after the Analysis has run. It is also possible to require successful code scanning before merging Pull Requests by enabling protected branches with status checks.

You can use the CodeQL CLI to run code scanning on code that you're processing in a third-party continuous integration (CI) system following this guide.

The CodeQL CLI has detailed documentation: https://codeql.github.com/docs/codeql-cli/getting-started-with-the-codeql-cli/

The CodeQL CLI is a command-line tool that runs CodeQL analysis on a checkout of a GitHub repository. You add the CLI calls as part of your build pipeline, then create a database with CodeQL results. These results are displayed as code scanning alerts in the repository once uploaded to GitHub. See Using the CodeQL with 3rd Party CI

• Code Scanning via CodeQL Analysis runs as a part of the CI/CD Workflow in [GitHub Actions] (https://help.github.com/en/actions) or on third-party CI systems with the CodeQL runner.
  • Every onboarded repository can utilize a GitHub Actions Workflow with the CodeQL Action that will run the analysis or with the CodeQL Runner to integrate into existing CI systems.
• For compiled languages (C/C++, C#, Go, Python), CodeQL analysis must run after a successful build
  • By default, CodeQL Analysis will attempt to Autobuild your project.
  • If Autobuild fails, you will need to first configure GitHub Actions to properly build your application before running the CodeQL Analysis.
• CodeQL Analysis runs only a limited set of high confidence security queries by default.
  • This ensures that the False Positive rate stays very low so that too much noise does not overwhelm developers.
  • It is possible to include other query sets including additional security queries and code quality queries.
• Results from third-party static analysis tools can be displayed using a supported SARIF file

The Code Scanning API lets you retrieve and update code scanning alerts from a repository. You can use the endpoints to create automated reports for the code scanning alerts in an organization or upload analysis results generated using offline code scanning tools.

• List code scanning alerts for a repository
• Upload a SARIF file containing the results of a code scanning analysis to make the results available in a repository.

Code Scanning Alert webhook event - Activity related to code scanning alerts in a repository. The type of activity is specified in the action property of the payload object.

• https://github.blog/changelog/2020-12-02-dependabot-version-updates-from-private-github-repositories/

About dependency review.

If a pull request targets your repository's default branch and contains changes to package manifests or lock files, you can display a dependency review to see what has changed. The dependency review includes details of changes to indirect dependencies in lock files, and it tells you if any of the added or updated dependencies contain known vulnerabilities.

• https://github.com/NickLiffen/ghas-enablement
• https://github.com/NickLiffen/GCSMTTR
• https://github.com/GeekMasher/advanced-security-compliance
• https://github.com/GeekMasher/ghas-reviewer-app