Three guards guarding art in a museum

Advanced GitHub Advanced Security

Nicholas Liffen
Nicholas Liffen // Director, GitHub Advanced Security // GitHub

Once you switch on GitHub Advanced Security's (GHAS) key features, they'll always be running in the background to keep your code safe. But you can do more with GHAS than run the scans GitHub provides out of the box. In this module, we'll dive into the more advanced capabilities of GHAS.


  • A GitHub Advanced Security license

  • CodeQL, dependency graph, Dependabot alerts, secret scanning, and push protection should all be enabled

  • Repository admin or organization Security Manager permissions

  • Basic knowledge of GitHub, such as forking repositories and committing changes

  • Some familiarity with GitHub Actions is recommended

In this module, we will be using an example application called Web Goat to explore the features of GHAS. Web Goat is an open source, deliberately insecure application widely used for security testing and benchmarking. If you completed one of the previous security pathways (foundational or intermediate), you can keep using the same repository.

Advanced module overview

Guide 1: Creating a central CodeQL configuration file

Why and how to centrally manage your CodeQL configuration, how to enable access to your central CodeQL configuration file, and how to point individual repositories to it.

Guide 2: Understanding your end-to-end software supply chain

How to use GitHub Actions to create and upload a dependency snapshot,how to view the results with dependency graph, and how to automatically export a software bill of materials (SBOM) with GitHub Actions.