Essentials of GitHub Advanced Security
GitHub Advanced Security (GHAS) is a developer-first application security testing solution that brings GitHub's world-class security capabilities to public and private repositories. It provides highly curated detection and remediation capabilities crafted by some of the world's best security engineers to ensure your code, secrets, and software supply chain are as secure as possible. Plus, it’s fully automated, so you don't have to remember to run GHAS tests or wait for a security review before merging.
In this module, you’ll get started with GHAS and immediately begin fixing vulnerabilities and preventing future security problems. All it takes is a few clicks! To help us along the way, we’ll be joined by Justin Watts, director of engineering productivity at Canadian telecom TELUS, who will share insights and best practices.
By the end of this module, you’ll understand the detection methods GHAS includes, the differences between its key features, how to enable those key features with their default settings at the repository level, and how to start viewing results and remediating vulnerabilities.
Prerequisites
A GitHub Advanced Security license
Repository admin or organization Security Manager permissions
Basic knowledge of GitHub, such as forking repositories and committing changes
In this module, we will be using an example application called OWASP Juice Shop to explore the features of GitHub Advanced Security. Juice Shop is an open source, deliberately insecure application widely used for security testing and benchmarking.
Essentials module overview
Guide 1: Understanding GitHub Advanced Security
Learn about the detection methods GHAS includes, how the different features help secure various parts of your software, and what capabilities are available to report on your security progress.
Guide 2: Enabling GitHub Advanced Security
How to enable GitHub Advanced Security at the repository level, this includes code scanning, CodeQL, dependency review, and secret scanning.
Guide 3: Reviewing GitHub Advanced Security scan results
How to view results from code scanning, secret scanning, and Dependabot, how to dismiss false positives in secret scanning, and how to automatically remediate vulnerabilities with Dependabot.
Industry expert insights from:
TELUS: TELUS is a leading communications and information technology provider in Canada, responsible for powering essential services for over 35 million people across the country. With a diverse team of 78,000, including nearly 5,000 developers, analysts, and technicians, TELUS faces the monumental task of unifying various tools and technologies. By adopting GitHub, they centralized their software development, streamlined testing through GitHub Actions, and enhanced security protocols. This has resulted in significant time savings and elevated code quality across their workforce of nearly 5,000 tech professionals.