In this unit, we will cover:

• Understanding the dependency graph
• Acting on GHAS alerts
• Who has access to alerts

The Dependency Graph: At the Heart of Supply Chain Security

The dependency graph identifies all upstream and downstream public dependencies of a repository or package.
You can view your repository’s dependencies and some of their properties (such as vulnerabilities) in the Insights tab of the repository.

GitHub generates this graph from explicit dependencies declared in manifest and lock files. Once enabled, it automatically scans all known manifest files to build a graph with the names and versions of dependencies.

Key Points:

• Includes direct and transitive dependencies
• Updates automatically when a commit modifies or adds a supported manifest or lock file
• Also updates if a dependency changes in its own repository
• Accessible via the Insights tab on the repository’s main page
• Can be exported in SBOM format compatible with SPDX, via the GitHub interface or REST API
• The dependency submission API (beta) allows submitting dependencies even if the ecosystem is not supported

Features that rely on the graph:

• Dependency Review: Identifies changes and their security impact
• Dependabot Alerts: Detects vulnerabilities by cross-referencing graph data with the GitHub Advisory Database
• Dependabot Security Updates: Helps update vulnerable dependencies
• Dependabot Version Updates: Do not rely on the graph but on semantic versioning

Acting on GHAS Alerts

GHAS provides a comprehensive overview of an organization’s security posture and enables prioritization and effective risk management.

Types of GHAS Alerts:

• Code Scanning Alerts:
  • CodeQL alerts identify vulnerabilities such as SQL injections, XSS, etc.
• Secret Scanning Alerts:
  • Exposed secrets detect API keys or sensitive credentials in source code
• Dependency Alerts (Dependabot):
  • Detect outdated dependencies and suggest secure updates

Security Overview:

• Dashboard summarizing the repository’s security status
• Third-party alerts: Integration possible with external tools via SARIF files

Consequences of Ignoring Alerts:
Ignoring a security alert can lead to:

• Exploitation by malicious actors
• Data breaches, service interruptions
• Increased remediation efforts, project delays, loss of trust

Long-term risks:

• Damage to reputation
• Regulatory non-compliance
• Financial losses

Developers should immediately analyze the nature and severity of the alert, assess its impact, and apply corrective measures.

Who Has Access to Alerts?

GHAS allows fine-grained access control, ensuring only authorized individuals can view sensitive alerts.

Access by Role:

• Code scanning and Dependabot alerts: Accessible to those with Write role
• Secret scanning alerts: Accessible only to users with Admin role
• Custom access: Any user or team can be granted access to all alerts via repository alert access settings

Effective access management improves collaboration and allows each member to focus on security aspects relevant to their role.

By understanding how to identify vulnerabilities, respond to alerts, manage access, and avoid risks associated with inaction, teams can fully leverage GHAS to create a more secure and resilient development environment.