GitHub Advanced Security Bootcamp

PrerequisitesResources

This bootcamp is designed to help familiarize you with GitHub Advanced Security (GHAS) so that you can better understand how to use it in your own repositories.

📣 Prerequisites

To participate in the workshop you need a GitHub account and need to be invited to the workshop organization ghas-bootcamp. If your repository hasn't been automatically created in the workshop organization, either click Use this template and create a repository under this organization, or create a new repository and push a copy of the ghas-bootcamp repository to an organization with GHAS enabled.

git clone https://github.com/boxboat-demo/ghas-bootcamp.git
cd ghas-bootcamp
git remote set-url origin git@github.com:{org-or-username}/{repo-name}.git

🏫 Agenda

We will go over the following topics:

Day one

Day one learning

  • Comprehensive overview of GHAS
  • Securing your supply chain with dependency management
  • Secret scanning
  • Rolling out GHAS in your organization
  • Q&A

Day one: Dependabot and Secret scanning exercises

Dependabot: link
  • Enabling Dependabot alerts
  • Reviewing the dependency graph
  • Viewing and managing results
  • Enabling Dependabot security updates
  • Configuring Dependabot security updates
  • Working with Dependency Review
Secret scanning: link
  • Enabling secret scanning
  • Viewing and managing results
  • Excluding files from secret scanning
  • Custom patterns for secret scanning
  • Managing access to alerts
Day two

Day two learning

  • Explore how code scanning works
  • What is Security Overview?
  • CodeQL Demo
  • Final Q&A

Day Two: Code scanning + CodeQL demo

Code scanning: link
  • Enabling code scanning
  • Reviewing any failed analysis jobs
  • Using context and expressions to modify build
  • Reviewing and managing results
  • Triaging a result in a PR
  • Customizing CodeQL configuration
  • Adding your own code scanning suite to exclude rules
  • Understanding how to add a custom query
  • CodeQL demo

📚 Resources