Enabling GitHub Advanced Security
Protecting your codebase from known vulnerabilities and preventing leaked secrets is as simple as clicking just a few options in your repository’s settings. By the end of this guide you’ll have GitHub Advanced Security (GHAS) running on your sample repository, and be ready to turn them on in your own repositories.
TELUS will share some insights into the company’s use of GitHub Advanced Security to help you along your way.
In this guide you will learn:
How to enable GitHub Advanced Security at the repository level, this includes code scanning, CodeQL, dependency review, and secret scanning
How GHAS protects code without blocking developer productivity
1. Set up your test repository.
Fork the Juice Shop repository into an organization with GHAS enabled if you haven’t already.
Click Actions under your repository name. If you cannot see the Actions tab, select the “...” dropdown menu, then click Actions.
Click the button that says I understand my workflows, go ahead and enable them.
2. Enable GitHub Advanced Security.
On your Juice Shop repository’s GitHub.com page, click Settings under your repository name. If you cannot see the Settings tab, select the “...” dropdown menu, then click Settings.
In the Security section of the sidebar, click Code security and analysis.
Scroll down the page to GitHub Advanced Security, and click Enable. If you see Disable instead, that means that GHAS is already enabled for the repository.
2. Enable secret scanning.
Scroll down the page, and click Enable for secret scanning. If you see Disable, that means that secret scanning is already enabled for the repository.
A new sub-section labeled Push protection will appear under Secret scanning. Click Enable.
You might be thinking that Dependabot, CodeQL, and secret scanning all sound cool, but that there's no way you can ever enable them by default across your entire organization. I've been there. But we were able to enable secret scanning with push protection across TELUS with less than a day of planning. We have CodeQL and Dependabot enabled enterprise-wide as well.
The reason we're able to adopt these tools universally is simple: They don't block developers from committing code and they don't require any education or training. Once you turn these services on, they run automatically in the background. You don't need to run an internal awareness campaign to get developers to turn them on, or explain how to use them. If you push code that doesn’t have a vulnerability or a secret, nothing changes for you.
Even when an issue is detected, GitHub walks you through what to do next. If you try to do something potentially unsafe, you’ll be warned, but not blocked. If you need to commit an invalid token as part of a code example, you can. If there's a reason you need to commit a valid key to a non-public repository and remove it later, you can do that too.
Non-blocking doesn’t mean no accountability. For example, if you commit a secret with the “I’ll fix it later” option, GitHub will alert organization owners, security managers, and repository administrators. This puts extra eyes on important security decisions and helps ensure issues really do get fixed.
It’s just as easy to turn these features off as it is to turn them on. If you enable push protection organization-wide and run into problems, you can just switch it off.
3. Enable CodeQL.
Note: Due to this repository being a fork, you need to enable GitHub Actions before you can enable CodeQL. On the GitHub.com page for your Juice Shop repository, click Actions under your repository name. If you cannot see the Actions tab, select the “…” dropdown menu, then click Actions. Click I understand my workflows, go ahead and enable them.
This process is very similar to enabling secret scanning.
On the GitHub.com page for your Juice Shop repository, click Settings under your repository name. If you cannot see the Settings tab, select the “…” dropdown menu, then click Settings.
In the Security section of the sidebar, click Code security and analysis.
In the Code scanning section, select Set up. There will be a choice between Default or Advanced. Select Default. We'll cover Advanced in a future guide.
You will then see a "CodeQL default configuration" dialog summarizing the configuration automatically created by default setup, including the languages and queries that will run. Leave these settings alone for now. The default query suite is highly curated to include the best, most precise queries to keep your code safe while generating few false positives. We’ll look into customizing these settings in a future guide.
Click Enable CodeQL.
That’s all it takes to enable static analysis on your repository. This first scan will take some time to run, so we'll examine the results in the next guide. For now, let's move to the next step.
4. Enable supply chain security features.
Dependency review is enabled by default and can’t be turned off, but let’s ensure that we have Dependabot and dependency graph activated. On the GitHub.com page for your Juice Shop repository, click Settings under your repository name. If you cannot see the Settings tab, select the “…” dropdown menu, then click Settings.
In the Security section of the sidebar, click Code security and analysis.
Under Code security and analysis, click Enable next to "Dependency graph" and "Dependabot alerts.” Let’s just use the defaults for now.
We’ll run through configuring dependency review in the intermediate module.
Up next: Reviewing GitHub Advanced Security scan results
That's it! You now have GitHub Advanced Security protecting your repository and it only took a few clicks.
Next we'll take a look at the results from our CodeQL scan and test both secret scanning and supply chain security.