GitHub Advanced Security Helpful Resources

IaC

• Kubescape Action; Kubernetes scanning, Helm scanning, and YAML files
• Infrastructure as Code / Bridgecrew
• Trivy - Containers,Filesystem,Git Repo, Virtual Machine Images, AWS, Kubernetes
• Anchore is similar to above Docker / Filesystem scanning
• MSFT IAC All in one action

Linter

• GitHub Super Linter

DAST

• OWASP Zap Full Scan
• OWASP Zap API Scan
• OWASP Zap Baseline Scan

Third Party Integrations

• Splunk SIEM integration

GitHub Advanced Security Resources to research more....

• GHAS Security Scanning / Assessment
• Crypto-Bill of Materials "CBOM"
• Kotlin,Node JS, Powershell, Kubernetes, PHP, Terraform, Mobile Languages, C/C++, Cobol

GitHub Advanced Security Bootcamp

Prerequisites • Resources

This world-class bootcamp is designed to help familiarize you with GitHub Advanced Security (GHAS) so that you can better understand how to use it in your own repositories.

📣 Prerequisites

To participate in the workshop you need a GitHub account and need to be invited to the workshop organization ghas-bootcamp. If your repository hasn't been automatically created in the workshop organization, either click Use this template and create a repository under this organization, or create a new repository and push a copy of the ghas-bootcamp repository to an organization with GHAS enabled.

git clone https://github.com/ghas-bootcamp/ghas-bootcamp.git
cd ghas-bootcamp
git remote set-url origin [email protected]:{org-or-username}/{repo-name}.git

🏫 Agenda

We will go over the following topics:

Day one

Day one learning

• Comprehensive overview of GHAS
• Securing your supply chain with dependency management
• Secret scanning
• Rolling out GHAS in your organization
• Q&A

Day one: Dependabot and Secret scanning exercises

Dependabot: link

• Enabling Dependabot alerts
• Reviewing the dependency graph
• Viewing and managing results
• Enabling Dependabot security updates
• Configuring Dependabot security updates
• Working with Dependency Review

Secret scanning: link

• Enabling secret scanning
• Viewing and managing results
• Excluding files from secret scanning
• Custom patterns for secret scanning
• Managing access to alerts

Day two

Day two learning

• Explore how code scanning works
• What is Security Overview?
• CodeQL Demo
• Final Q&A

Day Two: Code scanning + CodeQL demo

Code scanning: link

• Enabling code scanning
• Reviewing any failed analysis jobs
• Using context and expressions to modify build
• Reviewing and managing results
• Triaging a result in a PR
• Customizing CodeQL configuration
• Adding your own code scanning suite to exclude rules
• Understanding how to add a custom query
• CodeQL demo

📚 Resources

• About code scanning
• About Dependabot Alerts
• About secret scanning
• Events that trigger workflows
• Configuring the CodeQL workflow for compiled languages
• Configuring code scanning
• Configuring notifications for Dependabot alerts
• Customizing dependency updates
• Configuration options for the dependabot.yml file
• Filter pattern cheat sheet
• Running additional queries
• Troubleshooting the CodeQL workflow
• Code scanning API
• Secret scanning API
• GraphQL API
  • RepositoryVulnerabilityAlert
• REST API