DRAFT - GitHub Advanced Security

Understand and simplify adoption

hubber gitstua @gitstua

Agenda

  • Key Features of GitHub Advanced Security (GHAS)
  • Sample roll-out plan
  • Details of each step in the plan

GitHub Advanced Security Key Features

  • Secret Scanning to mitigate the risk of secrets
  • Code Scanning to reduce vulnerabilities in code
  • Integrate with and display results from other security tools (Veracode, Snyk, Fortify and any which export SARIF format)
  • Dependabot to check for and automate keeping dependencies up to date

1. What does success look like

Align

  • Reduce secrets in code
  • Identify high risk repos
  • Meet compliance requirements
  • Reduce vulnerabilities in code

2. Prepare to enable at scale

Code scanning

  • Collect information on your repositories and the languages used

Secret scanning

  • Consider how Secrets found will be mitigated
  • Consider any custom patterns you may want for your enterprise, organization or repository

Integrate

  • Determine which integrations you will use for code scanning

3a. Secret Scanning

Pilot Secret scanning

  • Identify some high-impact projects which you will use to learn
  • Workshop before enablement
  • Piloting
  • Wrap-up workshop to evaluate learnings

3b. Code scanning (CodeQL)

Pilot Code scanning

  • Identify some high-impact projects which you will use to learn
  • Workshop before enablement
  • Consider Default setup
  • Configure sample SARIF upload
  • Run the pilot
  • Wrap-up workshop to evaluate learnings

Internal processes and procedures

Based on the learnings define internal processes and procedures

Document

  • Enable Code and Secret scanning on new organizations
  • Define remediation plans for secrets located in code
  • Manage vulnerbilities found with CodeQL and other tools
  • Define how you will educate your developers how to get the best out of GHAS

5. Secrets

Secret scanning

  • Enable push protection first to find newly committed secrets
  • Verify remediation process
  • Enable secret scanning on each organization
  • Remediate secrets starting with most critical using the security information in repository
  • Review progress using security overview at enterprise and organization levels

6a. Code scanning

Remediation

  • Educate the teams on how to mitigate vulnerabilities; assign subject matter experts
  • Enable code scanning for your organizations, consider enabling for TypeScript or JavaScript first
  • Remediate vulnerabilities starting with most critical using the security information in repository
  • Review progress using security overview at enterprise and organization levels

6b. Code scanning

Integration

  • Update your CI pipelines to use marketplace actions to integrate your other security tools
  • Verify the SARIF files are uploaded and you can view the alerts at repository level
  • Verify security overview at enterprise and organization levels show the alerts

PREP 1. Create a new repo 2. Setup a few files

mermaid source gantt title GHAS Adoption dateFormat DDDD-MM-YY axisFormat % Align : a, 2023-10-01, 5d Prepare : p, 2023-10-04, 5d Pilot : pilot, after p, 1w Document :d, after pilot, 5d Secrets : s, after d, 10d Code : c, after s, 10d

default setup https://github.blog/2023-01-09-default-setup-a-new-way-to-enable-github-code-scanning/