Introduction to POC
Github Advanced Security is a new feature that allows to analyze github repositories and find security and vulnerability issues in code. This helps in vulnerability scanning when developers deploy code at the repo level.
Github Advanced Security Features
GitHub Advanced Security license provides the following additional features:
Code scanning
Code scanning is a feature that you use to analyze the code in a GitHub repository to find security vulnerabilities and coding errors.
Secret scanning
If your project communicates with an external service, you might use a token or private key for authentication. So Secret scanning feature prevents expose of accidentally committed secret tokens. It will scan entire repo and alerts if there are some secret tokens are exposed.
How to use Github Advanced Security features
You can run code scanning on GitHub, using GitHub Actions, or from your continuous integration (CI) system.
Code scanning using Github Action
- Set up code scanning by adding a GitHub Actions workflow to the repository.
- Typically, you don’t need to edit the default workflow for code scanning. However, if required, you can edit the workflow to customize some of the settings. For example, you can edit GitHub’s CodeQL analysis workflow to specify the frequency of scans, the languages or directories to scan, and what CodeQL code scanning looks for in your code. You might also need to edit the CodeQL analysis workflow if you use a specific set of commands to compile your code.
Pros
- You can configure the CodeQL analysis workflow to scan code on a schedule or when specific events occur in a repository. Like Scanning code when someone pushes a change, and whenever a pull request is created. This prevents developers from introducing new vulnerabilities and errors into the code.
- If your code requires a specific operating system to compile, you can configure the operating system in your CodeQL analysis workflow.
- In general, you do not need to worry about where the CodeQL analysis workflow places CodeQL databases
- Everything on GitHub cloud. No server installation.
- Process is asynchronous.
- Managed by Github so no need to worry about scaling issues.
Limitations
- We need to configure the CodeQL action for code scanning for every repo.
Code scanning in CI System
If you use a third-party continuous integration or continuous delivery/deployment (CI/CD) system, you can run CodeQL analysis in your existing system and upload the SARIF(Static Analysis Results Interchange Format) results to GitHub.
The CodeQL runner is a tool that you can use, to run code scanning on code that you’re processing in a third-party continuous integration (CI) system. It is a command-line tool that runs CodeQL analysis on a checkout of a GitHub repository. You add the runner to your third-party system, then call the runner to analyze code and upload the results to GitHub. These results are displayed as code scanning alerts in the repository.
Integration Steps
- Adding the latest dependencies of CodeQL runner to your CI System pipeline (Jenkins, Azure etc..)
- Give the pipeline a full access to github repo. For this we need to create the github personal access token. Just go to github Setting > Developer Setting > Personal Access Token > Generate New token.
- Initialize the CodeQL executables and create a queryable DB.
- Build execution (only for compiled languages like Java, .NET etc.. else skip build step in CodeQL)
- Scan your application
- Upload result to Github
- Review your results on Github under Security > Code Scanning Alerts
To see basic example of integration refer here[1][2].
Pros
Prevent configuring CodeQL Action for every repo
Limitation
- Require implementations of scripting service to automate whole process on Jenkins or Azure.
- Implementing a service API which will fetch scan parameters details like languages for the repo.
Supported Languages and Frameworks
References
About Integration With Code Scanning
Heya i am for the first time here. I found this board and I findIt truly useful & it helped me out much. I hope to give something back and aid others like you aided me.
Thanks Bek
Wow, great blog.Really thank you!