GitHub
Security
DevOps

GitHub Advanced Security

Secure your software supply chain with GitHub Advanced Security (GHAS). Master secret scanning, code scanning with CodeQL, Dependabot...

Training Overview

This comprehensive 1-day training provides in-depth knowledge and hands-on experience with GitHub Advanced Security (GHAS), the enterprise-grade security solution that helps organizations identify and remediate vulnerabilities throughout the software development lifecycle. Designed for security professionals, developers, and DevOps teams, this course covers everything from basic security features to advanced configuration and remediation strategies.

Who Should Attend

  • Security Engineers and Analysts
  • DevSecOps Engineers
  • Software Developers responsible for security
  • Application Security Specialists
  • System Administrators managing GitHub Enterprise
  • Compliance Officers
  • Technical Leads and Architects

Prerequisites

  • Good understanding of Git and GitHub
  • Basic knowledge of software development practices
  • Familiarity with security concepts (CVE, CWE)
  • Experience with at least one programming language
  • Basic understanding of CI/CD pipelines (beneficial)

Training Objectives

By the end of this training, you will be able to:

  • Describe GHAS security features and their role in the security ecosystem
  • Configure and use secret scanning with push protection
  • Enable and manage Dependabot and Dependency Review
  • Configure and use code scanning with CodeQL
  • Apply GHAS best practices and take corrective measures
  • Integrate security into every step of the SDLC
  • Prepare for the GH-500 GitHub Advanced Security certification

Training Content

1. Describe GHAS Security Features and Functionality (15%)

Contrast GHAS Features and Their Role

  • Understanding security features for open source projects
  • Features available with GHAS on GitHub Enterprise Cloud (GHEC)
  • Features available with GHAS on GitHub Enterprise Server (GHES)
  • Security Overview dashboard and its benefits
  • Differences between secret scanning and code scanning
  • How GHAS creates a secure software development lifecycle

Security Integration Scenarios

  • Isolated security review approach (traditional)
  • Advanced scenario: security integrated into each SDLC step
  • Benefits of shift-left security
  • Developer-centric security practices

Explain and Use Specific GHAS Features

  • How vulnerable dependencies are identified
  • Manifest file analysis and vulnerability databases
  • Choosing appropriate responses to GHAS alerts
  • Implications of ignoring security alerts
  • Developer's role in responding to security alerts
  • Access management for viewing alerts across features
  • Using Dependabot alerts in the SDLC
2. Configure and Use Secret Scanning (15%)

Configure and Use Secret Scanning

  • Understanding secret scanning fundamentals
  • Push protection to prevent secret commits
  • Validity checks for leaked credentials
  • Secret scanning availability (public vs. private repositories)
  • Enabling secret scanning for private repositories
  • Responding appropriately to secret scanning alerts
  • Understanding which secrets trigger alerts
  • User role permissions and notification settings

Customize Default Secret Scanning Behavior

  • Configuring alert recipients
  • Providing access to members and teams beyond admins
  • Excluding specific files from secret scanning
  • Enabling custom secret scanning patterns
  • Creating custom patterns for organization-specific secrets
  • Managing false positives effectively

Advanced Secret Scanning

  • Validity checks and their importance
  • Integrating secret scanning with incident response
  • Secret rotation workflows
  • Automating secret remediation
3. Configure and Use Dependabot and Dependency Review (35%)

Describe Tools for Managing Vulnerabilities in Dependencies

  • Understanding the dependency graph
  • How the dependency graph is generated
  • Software Bill of Materials (SBOM) and GitHub's format
  • Defining dependency vulnerabilities
  • Dependabot alerts overview
  • Dependabot security updates explained
  • Dependency Review functionality
  • Alert generation process (dependency graph + GitHub Advisory Database)
  • Differences between Dependabot and Dependency Review

Enable and Configure Tools for Managing Vulnerable Dependencies

  • Default settings for Dependabot alerts (public vs. private)
  • Permissions and roles for enabling Dependabot alerts
  • Permissions and roles for viewing Dependabot alerts
  • Enabling Dependabot alerts for private repositories
  • Enabling Dependabot alerts at organization level
  • Creating valid Dependabot configuration files
  • Grouping security updates effectively
  • Creating Dependabot Rules to auto-dismiss low severity alerts
  • Creating Dependency Review GitHub Actions workflows
  • Configuring license checks in Dependency Review
  • Setting custom severity thresholds
  • Configuring notifications for vulnerable dependencies

Identify and Remediate Vulnerable Dependencies

  • Identifying vulnerable dependencies from Dependabot alerts
  • Identifying vulnerable dependencies from pull requests
  • Enabling Dependabot security updates
  • Remedying vulnerabilities from Security tab
  • Remedying vulnerabilities in pull request context
  • Updating or removing vulnerable dependencies
  • Testing and merging Dependabot pull requests
  • Automated dependency updates
4. Configure and Use Code Scanning with CodeQL (25%)

Use Code Scanning with Third-Party Tools

  • Enabling code scanning for third-party analysis
  • CodeQL vs. third-party analysis tools
  • Implementing CodeQL in GitHub Actions workflows
  • Implementing CodeQL in third-party CI tools
  • Uploading SARIF results via the SARIF endpoint
  • Understanding SARIF format and categories

Describe and Enable Code Scanning

  • Code scanning in the software development lifecycle
  • Frequency of code scanning (scheduled vs. event-triggered)
  • Choosing triggering events for development patterns
  • Scanning on pull requests
  • Scanning specific files and paths
  • Editing default Actions workflow templates
  • Adapting workflows for production repositories

View and Interpret Code Scanning Results

  • Viewing CodeQL analysis results
  • Understanding code scanning alerts
  • Following data flow with "show paths" experience
  • Reading alert documentation
  • Determining if alerts need dismissal
  • Understanding CodeQL's compilation model
  • Language support and limitations

Troubleshoot and Configure Code Scanning

  • Troubleshooting failing CodeQL workflows
  • Creating custom CodeQL configurations
  • Modifying CodeQL workflow files
  • Understanding CodeQL query suites (default, extended, security)
  • Defining SARIF categories
  • Optimizing CodeQL performance

Advanced CodeQL Usage

  • Writing custom CodeQL queries
  • Understanding compiled vs. interpreted language analysis
  • Using CodeQL CLI for advanced scenarios
  • Integrating CodeQL with IDEs
5. GHAS Best Practices, Results, and Corrective Measures (10%)

GitHub Advanced Security Results and Best Practices

  • Using CVE and CWE to describe alerts
  • Listing potential remediation for vulnerabilities
  • Decision-making process for closing alerts
  • Documenting alert dismissals
  • Making data-driven security decisions

Understanding CodeQL Analysis

  • Default CodeQL query suites
  • How CodeQL analyzes code and produces results
  • Differences between compiled and interpreted language analysis
  • Query customization and tuning

Roles and Responsibilities

  • Development team responsibilities
  • Security team responsibilities
  • Collaboration in software development workflows
  • Security champions programs

Configuring Alert Thresholds and Filters

  • Changing severity thresholds for pull request checks
  • Using filters to prioritize secret scanning remediation
  • Validity filtering (validity:active)
  • Sorting and prioritizing alerts effectively

Enforce Security with Repository Rulesets

  • Enforcing CodeQL workflows with Repository Rulesets
  • Enforcing Dependency Review workflows
  • Branch protection rules for security
  • Required status checks

Early Vulnerability Identification

  • Configuring code scanning for pull requests
  • Enabling push protection for secret scanning
  • Enabling dependency review for pull requests
  • Shift-left security practices
  • Preventing vulnerabilities before merge

Hands-on Labs

Throughout this training, you will participate in practical exercises including:

  • Enabling GHAS features for repositories and organizations
  • Configuring secret scanning and creating custom patterns
  • Setting up Dependabot alerts and security updates
  • Creating Dependabot configuration files
  • Implementing Dependency Review workflows
  • Enabling code scanning with CodeQL
  • Customizing CodeQL workflows
  • Uploading third-party SARIF results
  • Triaging and remediating security alerts
  • Creating custom CodeQL queries
  • Configuring Repository Rulesets for security
  • Implementing shift-left security practices

Training Methodology

  • Interactive Presentations: Comprehensive coverage of GHAS features and security concepts
  • Live Demonstrations: Real-world security scenarios and remediation
  • Hands-on Labs: Practical exercises with actual vulnerabilities
  • Security Workshops: Analyzing and fixing security issues
  • Best Practices: Industry-standard security patterns
  • Case Studies: Real-world security incidents and responses
  • Q&A Sessions: Addressing specific organizational security needs

Certification Preparation

This training aligns with the GH-500: GitHub Advanced Security certification exam and covers all domains tested:

  1. Describe GHAS security features and functionality (15%)
  2. Configure and use secret scanning (15%)
  3. Configure and use Dependabot and Dependency Review (35%)
  4. Configure and use code scanning with CodeQL (25%)
  5. GHAS best practices, results, and corrective measures (10%)

What You'll Receive

  • Comprehensive training materials
  • GHAS configuration templates
  • CodeQL query examples
  • Security remediation playbooks
  • Best practices guide
  • Certificate of attendance
  • Post-training support resources
  • Access to exclusive security tips and resources

Real-World Security Scenarios Covered

  • Leaked Secrets: API keys, passwords, tokens in code
  • Vulnerable Dependencies: npm, NuGet, Maven, PyPI vulnerabilities
  • Code Vulnerabilities: SQL injection, XSS, path traversal
  • Supply Chain Security: SBOM generation, dependency tracking
  • Compliance: SOC 2, ISO 27001, PCI DSS requirements
  • Incident Response: Rapid remediation workflows
  • Security Automation: Automated security updates and fixes

Security Features Deep Dive

Secret Scanning
  • Pattern recognition for 200+ token types
  • Push protection to prevent commits
  • Validity checks with service providers
  • Custom pattern creation
  • Partner program integration
Dependabot
  • Automatic dependency updates
  • Security vulnerability alerts
  • Version updates
  • Grouped updates
  • Auto-merge capabilities
  • Custom configuration
Code Scanning (CodeQL)
  • Static application security testing (SAST)
  • 400+ security queries
  • Multiple language support
  • Custom query creation
  • Third-party tool integration
  • SARIF format support
Dependency Review
  • Pull request-based scanning
  • License compliance checks
  • Custom severity thresholds
  • Block vulnerable dependencies
  • Enforce security policies

Supported Languages and Ecosystems

Code Scanning Languages
  • C/C++
  • C#
  • Go
  • Java/Kotlin
  • JavaScript/TypeScript
  • Python
  • Ruby
  • Swift
Dependency Ecosystems
  • npm (JavaScript/TypeScript)
  • NuGet (.NET)
  • Maven/Gradle (Java)
  • PyPI/pip (Python)
  • RubyGems (Ruby)
  • Composer (PHP)
  • Go modules
  • Cargo (Rust)

Follow-up and Next Steps

After completing this training, you will be well-prepared to:

  • Implement GHAS across your organization
  • Configure security scanning for all repositories
  • Establish security policies and procedures
  • Train development teams on secure coding practices
  • Prepare for the GH-500 certification exam
  • Build a comprehensive DevSecOps program
  • Measure and improve security posture

Measuring Security Success

Learn how to measure the impact of GHAS:

  • Mean time to remediate (MTTR) for vulnerabilities
  • Number of vulnerabilities prevented
  • Security alert trends
  • Developer security awareness
  • Compliance audit results
  • Supply chain risk reduction

Integration with Security Tools

Learn to integrate GHAS with:

  • SIEM systems (Splunk, Azure Sentinel)
  • Vulnerability management platforms
  • Incident response tools
  • Compliance management systems
  • Security orchestration (SOAR)

Related Trainings

Consider these complementary trainings:

  • GitHub Administration - Managing GitHub Enterprise
  • GitHub Actions - Automating security workflows
  • Secure Software Development Lifecycle - Comprehensive security practices
  • DevSecOps Fundamentals - Integrating security into DevOps

GHAS Licensing and Plans

Learn about GHAS availability:

  • Open Source: Free security features for public repositories
  • GitHub Advanced Security: Enterprise licensing for private repositories
  • GitHub Enterprise Cloud: Cloud-based GHAS
  • GitHub Enterprise Server: Self-hosted GHAS

Compliance and Standards

Understand how GHAS helps with:

  • OWASP Top 10
  • CWE/SANS Top 25
  • NIST guidelines
  • SOC 2 compliance
  • ISO 27001
  • PCI DSS
  • GDPR data protection
An unhandled error has occurred. Reload 🗙