Guards guarding a castle

Understanding GitHub Advanced Security

Nicholas Liffen
Nicholas Liffen // Director, GitHub Advanced Security // GitHub

GitHub Advanced Security (GHAS) is a developer-first application security testing solution that brings GitHub's world-class security capabilities to public and private repositories. Most of GitHub Advanced Security features are free for public repositories but require a GitHub Advanced Security license for private repositories. It only takes a few clicks to get started. Right out of the box, you'll benefit from highly curated detection and remediation capabilities crafted by some of the world's best security engineers to ensure your code and software supply chain are as secure as possible. It's fully automated, so once enabled, you don't have to remember to run GHAS tests or wait for a security review before merging.

Before we dive into enabling and using GHAS, let's take some time to get familiar with its primary capabilities. TELUS, will share some insights into the company’s use of GitHub Advanced Security to help you along your way.

In this guide you will learn:

  • What detection methods GHAS includes 

  • How the different features help secure various parts of your software

  • What capabilities are available to report on your security progress

Secret scanning

Secret scanning protects you from accidentally leaking tokens and other secrets by searching your entire repository, including git history and issues, for any pattern-based credentials that may have been committed to a codebase. Secret scanning tests for over 200 token types and is supported by a partner program of approximately 150 service providers to detect leaked secrets across common tools you use when developing software. You can also define over 500 custom patterns across your organization for your unique or proprietary secrets to ensure they are detected as well. You can even use regular expressions to create custom patterns. Secret scanning’s push protection feature provides preventative protection that actively warns developers when committing new secrets to a repository.

Code scanning

Code scanning is GitHub’s application security testing interface. It’s home to GitHub's static analysis solution, CodeQL, a semantic analysis engine that can uncover not just known vulnerabilities but unknown variations, potentially unsafe coding practices, and other code quality issues.

CodeQL prepares code for analysis by creating a database of a repository’s code, which provides a "built" version of the users' code represented as structured data that CodeQL uses to understand the data flow of the application, rather than just scanning the static code without context. CodeQL then executes a series of queries against the repository’s entire CodeQL database. 

You can write your own queries, but GitHub provides thousands of queries that cover the most critical types of vulnerabilities. For example, the combination of our default CodeQL and Dependabot queries will help ensure you stay OWASP Top 10 and SANS Top 25 compliant. These queries have been selected for their high level of accuracy, ensuring a low false positive rate for the user.

The CodeQL default queries meet the majority of our needs. We're starting to see some teams write custom queries as developers become more familiar with the platform, but we still get a ton of value by just using the defaults.

Justin Watts
Justin Watts // Director, Engineering Productivity // TELUS

In addition to CodeQL, code scanning can be used to view and interact with any other application security tool that produces a file in the SARIF (Static Analysis Results Interchange Format) standard. GitHub provides over 70 out-of-the-box GitHub Actions to automatically integrate popular open source and commercial application security solutions from many categories, including dynamic analysis, code quality, and container security. Results from these integrations are surfaced through the code scanning interface and are displayed in the same format as CodeQL, providing a consistent experience across tooling.

Supply chain security

As the home of open source, GitHub offers many Supply Chain Security features for free to honor our commitment to make open source usage secure for everyone. This includes access to GitHub’s Advisory Database and Security Lab research, which host the most robust, relevant, and accurate sources of open source vulnerability data in the world, as well as dependency graph, which summarizes your dependencies, and Dependabot, which identifies vulnerabilities in dependencies and suggests automatic ways to fix, patch, or update them.

To extend these capabilities for enterprise users, GHAS offers supply chain security tailored for the enterprise, like dependency review, a proactive feature that helps prevent insecure dependencies from making it into private repositories.

Reporting

Once you enable GHAS features, you can report on your security posture and adoption with security overview. Security overview provides a high-level view into how application security efforts are performing over time, while also providing granular filtering capabilities to identify and prioritize problematic areas of the codebase that require immediate attention.

Up next: Enabling GitHub Advanced Security

Now that you know what each of these features do, let’s go ahead and turn them on. You might be surprised how easy it is!