Define GHAS and the Importance of Its Key Features
In this unit, we will cover the following:
- Secret scanning
- Code scanning
- Dependabot
- How to create a more secure software development lifecycle using these three features
Let’s start with a brief review of GHAS.
What is GHAS?
GHAS (GitHub Advanced Security) is an advanced security solution integrated into GitHub Enterprise. It provides powerful tools to detect vulnerabilities, protect secrets, analyze code, and manage dependencies in private repositories.
Its goal is to integrate security from the very beginning of the development lifecycle, in order to produce software that is safer, more reliable, and compliant with security best practices.
GitHub Advanced Security (or GHAS) is an application security solution that empowers developers.
Advanced security is integrated directly into your workflow to help prevent vulnerabilities and credential leaks without slowing down development.
GitHub Advanced Security is like having a personal security consultant reviewing every line of code, backed by the expertise of security professionals worldwide.
Ensuring the security of applications and the software supply chain has never been more critical.
According to Gartner, by 2025, 45% of global organizations will be impacted by a supply chain attack.
Based on Verizon’s 2022 Data Breach Report, applications remain one of the most common attack vectors, involved in more than 40% of data breaches.
Integrating security into your software development process may seem complex. That’s why we will examine three key GHAS features and how they help your team stay protected against current threats:
- Secret scanning
- Code scanning
- Dependabot
Secret Scanning
Secret scanning is an essential security feature of GitHub Advanced Security (GHAS), designed to identify and mitigate the accidental exposure of sensitive information, such as API keys and access tokens present in the source code.
This scanning process is crucial for preventing unauthorized access and protecting confidential data.
Secret scanning works by searching for predefined patterns and signatures that indicate the presence of sensitive information, ensuring that potential risks are addressed quickly.
By default, the scan uses highly accurate patterns provided by GitHub partners, but it is also possible to create custom patterns for other use cases.
Key Features of Secret Scanning
- Push Protection: Proactively prevents secret leaks by scanning code at commit time and blocking the push if a secret is detected.
- Integrated Alerts: Ability to view and fix alerts directly in GitHub without leaving the development environment.
In a secure software development lifecycle, secret scanning plays a central role in preventing accidental leaks of critical information.
By integrating this scanning early in the development process, teams can quickly identify and remediate exposed secrets, reducing the risk of data breaches and ensuring the confidentiality of sensitive information throughout the lifecycle.
Code Scanning
Code scanning is an essential feature of GitHub Advanced Security (GHAS) that analyzes source code to detect security vulnerabilities and programming errors.
It uses static analysis techniques to identify potential issues such as:
- SQL injections
- XSS (cross-site scripting) attacks
- Buffer overflows
By providing automated feedback directly within the pull request workflow, code scanning enables developers to fix vulnerabilities early in the development process.
This feature improves the overall security of a software project by identifying and correcting flaws before they reach production.
By adopting a proactive approach to security, code scanning:
- Reduces the potential impact of threats
- Improves code quality
- Accelerates the development cycle by reducing the time spent fixing issues after deployment
Dependabot
Dependabot is an automated dependency management tool responsible for keeping the libraries and frameworks used in a project up to date.
It regularly checks for available updates and automatically opens pull requests to update dependencies to their latest and most secure versions.
Dependabot helps maintain a secure and stable development environment by fixing vulnerabilities found in outdated dependencies.
In a secure software development lifecycle, dependency management is essential to reduce risks associated with known vulnerabilities.
Dependabot simplifies the update process, ensuring that projects benefit from the latest security patches and improvements.
By automating this aspect of security, Dependabot helps create a resilient and secure foundation for the entire development process.
With GitHub Advanced Security, Dependabot’s features are extended to include Dependency Review, which allows you to check for vulnerable dependencies in a pull request.
This review helps fix vulnerabilities before they are merged into a shared branch.
Where to Enable Alerts for Secret Scanning, Code Scanning, and Dependabot
To enable any of these alerts at the repository level, start by navigating to the Security tab of your repository on GitHub.
Now that we have reviewed and enabled the three key GHAS features, let’s see how to implement them to create a more secure software development lifecycle.
Creating a More Secure Software Development Lifecycle with the Three Features
Secret scanning, code scanning, and Dependabot work together to strengthen the security of the software development lifecycle:
- Secret scanning prevents accidental exposure of sensitive information.
- Code scanning identifies and fixes vulnerabilities in the codebase.
- Dependabot automates dependency management.
By integrating these features, development teams can proactively address security issues at every stage of the development cycle.
This proactive approach reduces the likelihood of security incidents reaching production, enabling a more resilient, secure, and efficient development process.
The combined impact of these features ensures that security is not an isolated consideration but an integral part of the development workflow.
Security Features for Open Source Projects
Public projects on GitHub benefit from certain default security features, such as:
- Secret scanning
- Dependency graphs
GitHub automatically scans public repositories for patterns provided by its partners and sends alerts to repository administrators.
Public projects can also enable code scanning, Dependabot, and dependency review without a GitHub Advanced Security license.
However, these features are basic and may not provide the level of protection needed for more complex projects or enterprise environments.
Security Features with GHAS on GitHub Enterprise Cloud (GHEC)
When GitHub Advanced Security (GHAS) is combined with GitHub Enterprise Cloud (GHEC), a comprehensive set of security features becomes available for internal and private projects, including:
- Code scanning: Detect security vulnerabilities and coding errors in your code.
- Secret scanning: Detect secrets (keys, tokens, etc.) stored in private repositories.
- Alerts for users and partners are free for public repositories on GitHub.com.
- If push protection is enabled, secrets are also detected when they are pushed to the repository.
- Dependency review: Shows the full impact of changes to dependencies and details of vulnerable versions before merging a pull request.
Feature Availability Table
| Feature | Public Repo | Private Repo without Advanced Security | Private Repo with Advanced Security |
|---|---|---|---|
| Code scanning | ✅ | ❌ | ✅ |
| Secret scanning | ✅ | ❌ | ✅ |
| Dependency review | ✅ | ❌ | ✅ |
