Overview

In this engagement we will work with a pilot or lighthouse team to help them enable GitHub Advanced Security for one or more key repositories.

Offering level

• Ranging over Fundamentals [100], Intermediate [200], Advanced [300]
• Implementation services provided by Services Delivery Engineer

Target Audience

• Developers
• Product Security teams
• DevSecOps teams

Key features and benefits

• Guided session to help teams enable GitHub Advanced Security features on one or more repositories.
• Collaborate on customizing the configuration for the selected repositories to improve engagement and remediation rates.
• Provide a blueprint for the team, and the wider organization, to enable GitHub Advanced Security at scale.
• Accelerate the adoption of Advanced Security within your organization.

Engagement schedule

This offering consists of three sessions, described further below:

• Discovery - review proposed repositories, understand and align on pre-requisites (30 minutes).
• Delivery - screen sharing session where we walk through enablement (2-4 hours)
• Follow-up - screen sharing session where we review enablement and address any issues (2-4 hours)

Maximum session size is typically 10 people.

There are two schedules for this offering:

• Accelerated - delivered over 4 hours as part of the “GitHub Advanced Security - Getting Started” bundle.
• Standard - delivered standalone over 10 hours.

Syllabus

Discovery

The Discovery session is a quick 30-minute virtual meeting with the goal of aligning both teams on the same goals for the engagement, in order to ensure a mutually-agreed successful outcome. In this session, we will cover:

1. Introductions
2. Discuss the process for the engagement.
3. Explain the prerequisites to have any blockers eliminated prior to the Delivery session.
4. Select 1-5 repositories for GitHub Advanced Security enablement.
5. Schedule the Delivery and Follow-Up sessions.

Delivery

The Delivery session may either be 2 hours or 4 hours long. Regardless of the duration, GitHub Expert Services will walk the customer through the process of enabling GitHub Advanced Security on the selected repositories. However, with 4 hours, the customer is assured enough time to cover all of the listed features, talking points, and include time to troubleshoot errors.

• Demonstrate the process of enabling GitHub Advanced Security and its various features:
  • Code scanning
  • Secret scanning
  • Dependabot
  • Dependency Review
• Answer questions about GitHub Advanced Security.
• Support troubleshooting common build failures.

Follow Up

Similarly, the Follow-Up session may either be 2 hours or 4 hours long. If the Follow-Up session is only 2 hours in length, the focus will be to lightly address issues and offer suggestions, rather than deeply explore issues to their root cause. In this session, GitHub Expert Services revisits the customer’s pilot team to:

• Review the selected repositories;
• Ensure that the selected repositories have been enabled or blockers to enablement have been resolved;
• Address any remaining or new questions;
• And, ultimately, provide the customer a sense of closure and resolution.

Learning outcomes/business outcomes

After completing this workshop participants will have:

• GitHub Advanced Security enabled on one or more repositories.
• Developers are able to take responsibility for enabling GitHub Advanced Security in their own repositories.
• A blueprint for enabling GitHub Advanced Security on further repositories in your organization.

Pre-requisites

• Must have purchased GitHub Advanced Security prior to session 2.
• Must have enough available GitHub Advanced Security seats to enable the selected repositories prior to session 2.
• Code base must be in GitHub prior to session 2.
• The attendees must either:
  1. Have administrative privilege of the selected repositories; or
  2. Have GitHub administrators enable GitHub Advanced Security on the selected repositories prior to session 2.
• If the selected repositories reside on a GitHub Enterprise Server, then GitHub Advanced Security must be enabled in the Management Console prior to session 2.
• If the selected repositories contain C, C++, C#, or Java code, then the customer is expected to know the commands to successfully compile such code from a command-line interface prior to session 2.
• If a third-party CI/CD solution is to be used for CodeQL analysis, the third-party CI/CD solution must be available and ready for use prior to session 2.