Cartoon rock climber using proper security techniques while climbing a rock wall

Intermediate GitHub Advanced Security

Nicholas Liffen
Nicholas Liffen // Director, GitHub Advanced Security // GitHub

GitHub Advanced Security (GHAS) is designed to meet the needs of the majority of enterprises, right out of the box. We endeavor to keep the need for configuration to an absolute minimum so that everyone can benefit from the protection offered by GHAS right away. But there’s no such thing as one size fits all when it comes to enterprise security.

In this module, we go beyond the defaults and show you how to configure GitHub Advanced Security to meet your organization’s needs. Experts from Telus, KPMG, and LinkedIn will join us along the way to share the lessons they’ve learned while implementing GHAS.

When you’re done with this module, you’ll be familiar with the configuration files for CodeQL, secret scanning, and dependency review, and be ready to start customizing your own GHAS setup.

Prerequisites

  • A GitHub Advanced Security license

  • Repository admin or organization Security Manager permissions

  • Basic knowledge of GitHub, such as forking repositories and committing changes

  • Some familiarity with GitHub Actions is recommended

In this module, we’ll be using an example application called Web Goat to explore the features of GHAS. Web Goat is an open source, deliberately insecure application widely used for security testing and benchmarking.

Intermediate module overview

Guide 1: Advanced CodeQL setup

When to use CodeQL advanced setup instead of the default setup, how to edit a CodeQL configuration file, and how to set custom build instructions for CodeQL.

Guide 2: Fine tune testing scope with CodeQL

How to exclude files or folders from a CodeQL scan, how to change which queries run as part of a CodeQL scan, and the differences between the three default query suites included with CodeQL.

Guide 3: Extend your testing with third-party tools with GitHub code scanning

Why third-party tools are a valuable addition to GitHub code scanning, how to integrate third-party tools into code scanning with GitHub Actions, and how to view results from those tools in code scanning.

Guide 4: Customizing the scope of secret scanning

How to create a secret scanning configuration file, how to exclude files and folders from secret scanning, best practices for deciding what to exclude and what not to.

Guide 5: Customize dependency review configuration

How to edit the dependency review workflow file to implement common dependency review customizations, such as changing the vulnerability severity level that will trigger an alert, blocking particular licenses, or ​​preventing merging vulnerable dependencies to specific deployment environments.

Industry expert insights from:

Telus: TELUS is a leading communications and information technology provider in Canada, responsible for powering essential services for over 35 million people across the country. With a diverse team of 78,000, including nearly 5,000 developers, analysts, and technicians, TELUS faces the monumental task of unifying various tools and technologies. By adopting GitHub, they centralized their software development, streamlined testing through GitHub Actions, and enhanced security protocols. This has resulted in significant time savings and elevated code quality across their workforce of nearly 5,000 tech professionals.

LinkedIn: From job listings and networking opportunities to articles and online courses, LinkedIn puts the resources to navigate the ever-changing world of work at your fingertips. Founded in 2003, LinkedIn connects the world's professionals to make them more productive and successful. With more than 850 million members worldwide, including executives from every Fortune 500 company, LinkedIn is the world's largest professional network.

KPMG: A leading global professional services organization, KPMG is one of the “Big Four” accounting firms, and is best known for its tax, auditing, and other accounting-related services. But there’s much more to the firm. KPMG helps its clients solve complex business problems, increasingly driving digital transformations and developing custom software. KPMG has transformed from its heritage as an audit-and-accounting firm to a multidisciplinary services firm with a large technical and engineering workforce.

Begin Guide 1: Advanced CodeQL setup