Overview

GitHub Advanced Security (GHAS) plays a crucial role in enhancing the security posture of software development projects on GitHub. It provides a comprehensive set of tools and features designed to identify and address security vulnerabilities throughout the development lifecycle. By integrating security directly into the development process with GHAS, your team can build more secure and reliable software. The course will explore how to use GHAS to maximise security impact and understand GHAS and its role in the security ecosystem.

Audience Profile

This course is intended for students who want to understand and implement advanced security practices with GitHub Advanced Security (GHAS). They will learn how to enhance software development processes and build a more resilient and secure ecosystem using developer-first solutions to keep code, supply chain, and secrets secure before production. They will also learn how GHAS gives security teams visibility into cross-organisational security posture and supply chain, backed by curated security intelligence from the global GitHub community.

Syllabus

Become familiar with GitHub Advanced Security features (GHAS) and best practices, and identify critical areas for eliminating security gaps.

Learning Objectives
  • Define GHAS and key features such as secret scanning, code scanning, and Dependabot.
  • Use GHAS to maximise security impact.
  • Explain GHAS and its role in the security ecosystem.

Manage your dependencies with GitHub Dependabot and keep vulnerable dependencies under control.

Learning Objectives
  • Describe the available tools for managing vulnerable dependencies on GitHub.
  • Enable and configure Dependabot alerts.
  • Identify the permissions and roles required to view and enable Dependabot alerts.
  • Enable and configure Dependabot security updates.
  • Identify, review, and address vulnerable dependencies.
  • Explain how to use the GraphQL API to retrieve vulnerability information.
  • Configure notifications for vulnerable dependencies.

Understand how secret scanning works and how to configure and use it effectively.

Learning Objectives
  • Describe secret scanning.
  • Configure secret scanning.
  • Use secret scanning.

Learn about code scanning and how to implement it using CodeQL, third-party tools, and GitHub Actions.

Learning Objectives
  • Describe code scanning.
  • List the steps for enabling code scanning in a repository.
  • List the steps for enabling code scanning with third-party analysis.
  • Contrast implementing CodeQL analysis via GitHub Actions versus external CI tools.
  • Configure code scanning using triggering events.
  • Compare scheduled versus event-based code scanning workflows.

Use CodeQL to analyse source code and identify security vulnerabilities in your GitHub repositories.

Learning Objectives
  • Create a CodeQL database representing your codebase.
  • Run CodeQL queries to find problems and potential vulnerabilities.
  • Interpret CodeQL scan results using built-in and custom queries.

Use CodeQL as a static analysis engine to implement powerful code scanning workflows on GitHub.

Learning Objectives
  • Understand CodeQL and how it analyses code.
  • Understand QL as a logic programming language.
  • Set up CodeQL-based code scanning in a GitHub repository.
  • Reference a custom CodeQL query.
  • Configure the language matrix in a CodeQL workflow.
  • Use the CodeQL CLI to generate and upload code scanning results.
  • Implement custom build steps in CodeQL workflows.

Understand where GitHub Advanced Security fits in your SDLC and how to roll it out across your organisation.

Learning Objectives
  • Explain what GitHub Advanced Security is and how to use it in the SDLC.
  • Identify which GHAS features are available for open-source and enterprise products.
  • Enable GHAS features across different enterprise offerings.
  • Determine who should have access to GHAS features and grant appropriate permissions.
  • Set security policies at organisation and repository levels.
  • Respond to security alerts.
  • Use Security Overview to monitor security posture.
  • Use GHAS API endpoints to manage features and alerts.

Use GitHub's security tools to prepare repositories for secure development and robust incident response.

Learning Objectives
  • Create documentation that details security guidelines and useful information for collaborators.
  • Set permissions and other rules.
  • Automate processes that prevent security breaches.
  • Respond effectively to security breaches.