Advanced guides and tutorials on GitHub Advanced Security (original) (raw)

Nicholas Liffen

Nicholas Liffen // Director, GitHub Advanced Security // GitHub

Once you switch on GitHub Advanced Security's (GHAS) key features, they'll always be running in the background to keep your code safe. But you can do more with GHAS than run the scans GitHub provides out of the box. In this module, we'll dive into the more advanced capabilities of GHAS.

Prerequisites:

In this module, we will be using an example application called Web Goat to explore the features of GHAS. Web Goat is an open source, deliberately insecure application widely used for security testing and benchmarking. If you completed one of the previous security pathways (foundational or intermediate), you can keep using the same repository.

Advanced module overview

Guide 1: Creating a central CodeQL configuration file

Why and how to centrally manage your CodeQL configuration, how to enable access to your central CodeQL configuration file, and how to point individual repositories to it.

Guide 2: Understanding your end-to-end software supply chain

How to use GitHub Actions to create and upload a dependency snapshot,how to view the results with dependency graph, and how to automatically export a software bill of materials (SBOM) with GitHub Actions.