GitHub Advanced Security

GitHub Advanced Security (GHAS) is a comprehensive set of security features offered by GitHub that provide additional security capabilities for code repositories. These features help organizations implement a robust DevSecOps strategy by integrating security directly into the development workflow. The core features include:

• Code scanning: Automatically scans code for known vulnerabilities and security issues using static application security testing (SAST)
• Secret scanning: Automatically scans code for exposed secrets, such as passwords, API keys, and tokens using pattern matching and machine learning
• Dependency graph: Shows dependencies of a code repository and alerts of known vulnerabilities in those dependencies using the GitHub Advisory Database
• Access control: Allows repository administrators to implement fine-grained access controls and enforce security policies

Code Scanning

Code scanning is a feature of GitHub Advanced Security that automatically scans code for known vulnerabilities and security issues using static analysis techniques. It leverages CodeQL, GitHub’s semantic code analysis engine, to examine the code and identify potential issues such as:

• SQL injection vulnerabilities in database query construction
• Cross-site scripting (XSS) vulnerabilities in web applications
• Insecure cryptographic practices like weak hashing algorithms or improper key management
• Authentication and authorization flaws in access control logic
• Race conditions and other concurrency issues

When code scanning is enabled, it automatically scans new commits and pull requests to detect any issues. The scanning process runs in GitHub Actions workflows and can be configured to run:

• On push to protected branches
• On pull request creation and updates
• On a scheduled basis (e.g., daily or weekly)

The scan results provide a comprehensive summary including the number of issues found, the severity level (critical, high, medium, low), and the exact location of each issue in the code with detailed remediation guidance.

Additionally, it also allows repository administrator to configure the scan to run on schedule or on demand, also it can be integrated with other third-party tools like SAST (Static Application Security Testing) and DAST (Dynamic Application Security Testing) to expand the capabilities of the scan.

Code scanning can help to ensure that the code in a repository is free from known vulnerabilities and security issues, and can also help developers to identify and fix issues early in the development process.

Secret Scanning

Secret scanning is a feature of GitHub Advanced Security that automatically scans code for exposed secrets, such as passwords and tokens. It uses a combination of techniques including:

• Pattern matching using regular expressions for known secret formats
• Entropy analysis to detect high-entropy strings that might be secrets
• Machine learning models trained to identify secret-like patterns
• Partner verification where GitHub validates detected secrets with service providers

When secret scanning is enabled, it automatically scans:

• New commits and pull requests in real-time
• Historical commit history for existing repositories
• Issue comments and discussions where secrets might be accidentally shared

The feature can detect over 200 types of secrets from popular services like AWS, Google Cloud, Azure, Stripe, and many others. When a secret is detected, GitHub provides:

• Immediate alerts to repository administrators
• Automatic partner notifications for verified secrets (e.g., AWS will be notified of exposed AWS keys)
• Detailed remediation guidance including steps to revoke and rotate the compromised credentials

Secret scanning can help to ensure that sensitive information is not accidentally committed to a repository, and can also help developers to identify and remove secrets from their code early in the development process. This can help to reduce the risk of data breaches and other security incidents caused by exposed secrets.

Dependency Scanning

The dependency graph is a feature of GitHub Advanced Security that provides comprehensive visibility into your project’s dependencies and alerts you to known vulnerabilities. It works by:

• Parsing manifest files like package.json, requirements.txt, pom.xml, and others to build a dependency tree
• Tracking transitive dependencies to understand the full scope of your dependency chain
• Cross-referencing with vulnerability databases including the GitHub Advisory Database, National Vulnerability Database (NVD), and others
• Monitoring for new vulnerabilities as they are disclosed and published

When the dependency graph is enabled, it automatically:

• Maps your entire dependency tree showing both direct and indirect dependencies
• Alerts on vulnerable dependencies with detailed information about the vulnerability (CVE numbers, CVSS scores, affected versions)
• Provides automated pull requests with version updates to fix vulnerabilities (via Dependabot)
• Shows licensing information to help with compliance and legal reviews

The visual representation makes it easy to understand complex dependency relationships and trace how vulnerabilities might impact your application through the dependency chain.

The dependency graph can help to ensure that the code in a repository is free from known vulnerabilities, and can also help developers to identify and fix issues early in the development process. It can also help to reduce the risk of data breaches and other security incidents caused by known vulnerabilities in dependencies.

Access Control

Access control is a feature of GitHub Advanced Security that allows repository administrators to control access to their code and restrict who can view, push, or make changes to the code.

This feature allows administrators to set up different levels of access for different users or teams, and to control who can view, commit, or manage the code in a repository.

Access control can be set up on a repository-by-repository basis, allowing administrators to have fine-grained control over the access to their code. Access levels can include read, write, and admin permissions, and can be configured for individual users or teams.

It also allows administrators to set up branch protection rules to control who can make changes to specific branches, and to require code reviews, pull request approvals, or other checks before changes can be committed to a branch.

Access control can help to ensure that only authorized users and teams can access and make changes to the code in a repository, and can also help to prevent unauthorized changes and data breaches. This feature can also help to improve the overall security and compliance of a codebase, by providing a way to control and audit access to the code.

Resources

These resources provide detailed information on how to use and configure the various features of GitHub Advanced Security, as well as best practices for securing code repositories.

They also provide information on how to integrate GitHub Advanced Security with other tools and services to further enhance the security of your codebase.

• GitHub’s Advanced Security Docs
• GitHub’s Advanced Security Features
• GitHub’s Security Blog
• GitHub’s IP Allow List and Audit Log
• GitHub’s Security Hardening for GitHub Actions