GitHub Advanced Security: A Complete Guide with Examples

By Sruthy

By Sruthy

Sruthy, with her 10+ years of experience, is a dynamic professional who seamlessly blends her creative soul with technical prowess. With a Technical Degree in Graphics Design and Communications and a Bachelor’s Degree in Electronics and Communication, she brings a unique combination of artistic flair…

Learn about our editorial policies.
Updated March 7, 2024

This GitHub Advanced Security tutorial explains all about quickly building a secure code using its features – GitHub Secret Scanning & GitHub Code Scanning to maintain the code quality.

GitHub is a web-based service for Software Development and Version Control using Git. It provides features like issues, Project Planning, CI/CD, and Wiki support.

Apart from the above features, it is also very important to maintain the quality of your code and build a secure code.

=> Read Through the GitHub Training Series Here

GitHub Advanced Security – A Detailed Study

GitHub Advanced Security

GitHub provides Advanced Security Features, which are integrated. Also known as GitHub Advanced Security (GHAS), provides the following 2 features:

  • Secret Scanning: Detect secrets like passwords, internal URLs, tokens, etc, which the users have committed in the repository. It also supports Push Protection when enabled. It will detect secrets before pushing the code to the repository.
  • Code Scanning: Search for security vulnerabilities and any coding errors in the code.

GHAS is enabled by default for Public repositories. For other repositories, the license needs to be purchased and then the feature can be enabled at the Organization or at the Repository level. If a user contributes to multiple Organizations or repositories, then the license is counted as single.

Usage of the above security features is also integral to DevSecOps. In this article, we will look at hands-on examples of the above features of GHAS.

GitHub Secret Scanning

Project Teams unknowingly commit secrets such as passwords or usernames or any internal URL etc which is not the right practice to build secure code. Since the code base can be huge, it is very difficult to search for it manually. So, let’s look at how to enable Secret Scanning in your GitHub Organization or Repository.

In your GitHub Organization go to Settings -> Security -> Code security and analysis and select the check box under Secret scanning -> ‘Automatically enable for new public repositories’. Since a license has to be procured to enable GHAS for private repositories we will look at examples based on PUBLIC repositories.

GitHub Secret Scanning automatically scans for different Tokens from various Providers. The list of Providers and types of secrets supported by scan be found at Secret scanning patterns – GitHub Docs. Alerts are then generated for each token and reported.

For e.g., github_personal_access_token if entered in code will automatically be reported as a secret.

GitHub Secret Scanning also supports Custom patterns. Let’s start with enabling the Secret Scanning in the organization and repository.

enabling the Secret Scanning

In the repository settings under Security -> Code security and analysis click on Enable under Secret Scanning.

Secret Scanning

Once enabled it will look as shown. We will look at the Push protection feature later in the next section.

Push protection

Grant Access to the security alerts

Security alerts are normally visible to people with write or admin access. If additional people need to be given access to view the alerts, go to the Settings TAB of the repository, and in the “Security” section, click on Code Security and Analysis.

Under “Access to alerts“, in the search field, start typing the name of the person to provide access. Click on Save changes.

Grant Access to the security alerts

Example of Secret Scan:

In my PUBLIC repository, I have added my GitHub Personal Token in a readme file. For Private repositories, you will need a GHAS license.

Example of Secret Scan

Once you commit the changes go to the Security TAB of the repository and you will get to see an alert for the Token detected. Click on the link ‘View detected secrets’, next to ‘Secret scanning alerts’.

Security Overview
Secret Scanning Alerts

Closing the alerts

To close the alerts, select the secret scan alerts and click on the Close alert dropdown. Select a reason as shown. Click on Close alert.

Closing the alerts

Additional example:

Added JFrog Artifactory API Key.

JFrog Artifactory API Key

Go to the Security TAB to view the alerts.

Go to the Security TAB to view the alert

So obviously everyone will agree that these kinds of secrets and of course custom secrets like usernames or passwords of any internal URLs should in no way be added to the source code.

Push Protection With Secret Scanning

In the previous section, we looked at how the secrets are detected after the push or commit. In this section, we will look at protecting push or check the push for secrets. This means that before the PUSH is done to the repository the secrets are detected.

The user can then review the secrets and remove them or allow the secrets to be pushed or bypassed in case of false positives or if they need to be fixed at a later stage.

Enable Push Protection for an organization

To enable Push Protection for an organization, go to the Settings of the organization, and in the Security, section click on Code Security and Analysis.

Under Secret scanning and Push Protection click on Enable all and select the check box Automatically enable for repositories added to secret scanning

Enable Push - GitHub Advanced Security

Enable Push Protection for the repository

To enable Push Protection for a repository, go to the Settings of the repository. In the Security section, click on Code Security and Analysis.

Under Secret scanning and Push Protection click on Enable

Enable Push Protection for the repository

These settings are for public repositories and for other repositories you will need to have GHAS licenses.

Push Protection Example:

Clone a repository and add a secret in the readme file, e.g. a GitHub PAT token.

Push Protection Example - GitHub Advanced Security

Commit the changes and push the changes. You can see that GitHub has blocked the push.

Example - GitHub Advanced Security

You can remove the secret from your branch or follow the provided URL in the output shown to allow the secret. Open the URL provided and follow the options to allow the secret.

Push Protection Example

Select an option and click on ‘Allow me to push this secret’. You should see the below message.

message - GitHub Advanced Security

Now retry the ‘git push’ command and should go through.

Now retry the ‘git push’ command

Suggested Read => Best Version Control Software That You Must Know

GitHub Code Scanning

Code Scanning in the GitHub repository helps to analyze the code and finds any security vulnerabilities and errors in the source code. As Code Scanning finds security vulnerabilities and errors, it is alerted and shown in the repository.

Once the code is fixed the alert is closed. Alerts are detected by GitHub’s default CodeQL analysis. The CodeQL uses GitHub Actions workflow to generate code scanning alerts with either Default setup (Configure code scanning for the best setup) or Advanced setup if the repository does not understand the languages supported.

Code Scanning is available for all Public repositories and for private repositories which is owned by an organization you will need a GHAS license.

Further Reading => GitHub Packages with Step-by-Step Screenshots

To enable Code Scanning in the organization settings, go to the ‘Code security and analysis’ section and click on Enable All next to Code Scanning.

Code Scanning

CodeQL supports [ ‘cpp’, ‘csharp’, ‘go’, ‘java’, ‘javascript’, ‘python’, ‘ruby’, ‘swift’ ]

Next, go to the repository settings and click on Set up -> Advanced next to CodeQL analysis. The current repo for which the code scanning repository is being set up is a Java project.

CodeQL - GitHub Advanced Security

This will open up a GitHub Actions YML file. In this file, I do not need a schedule and will remove it. The auto-build section can also be modified. The rest of it can be retained as it is. Click on Commit changes to trigger the workflow.

Code Scanning - GitHub Advanced Security

In case you have an application, which is insecure and you run the Code Scan you will get to see the alerts in the security TAB. As an example, I have a JavaScript application and I have run the Code Scan, and the alerts are published.

Code Scanning - GitHub Advanced Security

Some of the common vulnerabilities in web applications are Cross-Site Scripting, SQL Injection, and Sensitive cookie exposure. You can read about these and look at ways to adopt good coding practices.

Security TAB -> Code Scanning Alerts

Code Scanning Alerts - GitHub Advanced Security

You can click on the vulnerability to look at the details. Select the vulnerability and click on the Dismiss drop-down to select an option to close the vulnerability.

Dependency Review

GHAS also supports Dependency review which helps to catch vulnerable or insecure dependencies before they can be deployed to your environments. It helps to understand which dependencies were added, updated, and removed along with how many projects use these dependencies with the vulnerability data for these.

With dependency review, it is much better to avoid problems rather than fix them later. For more information on configuring Dependency review with GitHub Actions look at Configuring dependency review – GitHub Docs

Dependency review is enabled for Public Repositories for Private Repositories owned by GitHub Organization it has to be enabled with a GHAS license.

Adopting GHAS at Scale

Developer normally goes about their job of writing code typically ignoring the security aspects. GHAS through the use of the above features helps to build more secure code faster. For this, the active participation of developers would be necessary across any company.

One cannot directly enforce these features to the developers but a phased rollout approach is needed.

The phased approach could be from aligning the company goals to ensure a reduction in vulnerabilities, identifying potentially high-risk repositories, increasing remediation rates so that security issues are not accumulated, compliance, and most importantly the secrets are not leaked to the outside world.

Post this, it is very important to engage with developers to collect data about their repositories, conduct a few pilot programs with high-impact project teams so that they are familiar with GHAS to prepare, and send a proper usage document along with the value that they will get to the developer/ internal security groups.

Once the data is collected the features of Code Scanning and Secret Scanning can then be rolled out to the other teams.

Recommended Read => What is GitHub and How to Create a Repository

Conclusion

In this article, we looked at Security as a Code approach – a very important aspect of securing your applications from any attacks. So obviously we do not expect any broken code to be used in our applications.

GitHub, through two of the most important Advanced Security features of Secret Scanning and Code Scanning, helps developers build a secure code along with Dependency review.

=> Check All GitHub Tutorials Here

Was this helpful?

Thanks for your feedback!

Leave a Comment