| docs/2-Github/2.5-Security.md | ||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
GitHub offers a range of excellent and user-friendly security features. In this section, we'll delve into these features, providing practical guidance on how to use them effectively. Given the critical importance of security in any development project, the methods we'll explore here will not only be highly beneficial for your current work but also serve as a solid foundation for your future projects.
Code scanning is a GitHub feature that allows you to automatically scan your code for security vulnerabilities. Code scanning works by integrating with third-party static analysis tools as well as GitHub's CodeQL, which analyze your code for potential security issues such as buffer overflows, cross-site scripting (XSS) vulnerabilities, and SQL injection vulnerabilities. Code scanning can be set up to run automatically as part of your continuous integration (CI) pipeline, which helps catch vulnerabilities early in the development process. The files these scans produce is in "SARIF" (Static Analysis Results Interchange Format) which is an industry standard format for security scanning tools which is also what the Security tab in GitHub expects when you upload results to it.
- GitHub developed its own code-scanning software called CodeQL which they have their own actions for so you can set it up pretty quickly with out of the box functionality for some interpreted languages like Python, Javascript, and Ruby and it automatically detects supported languages and puts those into the workflow for you. For those languages that need to be compiled, you can still run the tool against them but you need to have a custom build step in your workflow before you analyze it. The short story of what it does is make a relational database out of your code and runs queries against it to detect a variety of potential issues, then uploads its findings to your security tab. (link to CodeQL docs here)
Secret scanning is a GitHub feature that helps prevent secrets such as API keys and access tokens from being accidentally committed to your repository. Secret scanning works by scanning your repositories for potential secrets using regular expressions, and notifying you if any are found. If a potential secret is found, you will receive an email notification with details on how to remove the secret from your repository. (Docs for secret scanning here)
- If you have GitHub Enterprise, you can also create your own patterns for the secret scanning to pick up.
Dependabot alerts are notifications that GitHub sends when vulnerabilities are discovered in software dependencies used by your repositories. Dependabot alerts work by scanning your repositories for known vulnerabilities in dependencies, and sending you an email notification if any are found. Dependabot alerts can be set up to automatically create pull requests that update your dependencies to the latest secure version.
Dependabot security updates are automatic pull requests that update your dependencies to the latest secure version when vulnerabilities are discovered. Dependabot security updates work by scanning your repositories for known vulnerabilities in dependencies, and automatically creating a pull request that updates the dependency to the latest secure version. Dependabot security updates can be set up to automatically merge the pull request if all tests pass, which helps ensure that your code is always up-to-date and secure.
To start off, we will explore a bit more of the code-scanning side of GitHub security using CodeQL. As mentioned previously, CodeQL has some good default workflows you can setup to help you get started with code-scanning. You can either use that or a tool we refactored into Go based off of mario-campos/gh-code-scanning which does basically the same thing except its cooler and it lives here (still a work in progress).
- Create a repository that includes some code from one of the many CodeQl supported interpreted languages like Python or Javascript. A RealWorld project is a good place to start since they are typically old and not maintained.
- Using the tool of your choice or just go through the basic workflow configuration, enable code-scanning on your repository as well as create a basic workflow to start doing some code scanning with.
- View the results of the scan inside the security tab of the repository.
This next part is pretty simple, however it shows you the power of Dependabot version and security updates. Once enabled, these two features will give you insight into your outdated and risk-ridden dependencies with information inside the Security tab of your repository or from the PR's it automatically generates to update them.
- First we are going to need a bad project for Dependabot to scan which can either be the one from the previous exercise or another of your choice. Once that is setup inside your repo, navigate to the
code security and analysistab in the settings of the repository to enable all three Dependabot features i.e. Alerts, Security Updates, and Version Updates. - In the
dependabot.ymlfile that is generated once you have enabled Version Updates, update thepackage-ecosystemoption with whatever matches with the code in your repository. - Now you just have to watch Dependabot automatically generate PR's and security notices to help you make your life easier when it comes to managing dependencies and security risks.
The last part of our adventure into GitHub's security features is secret-scanning. This is a pretty important one as preventing secrets from entering your code base will save you the trouble of having to rotate keys and revoke credentials as well as potentially saving you money should that secret be able to grant access to critical infrastructure.
- Like everything else we've done so far, this feature is in the
code security and analysistab in the settings of the repository which you will need to enable. - Also enable push protection which lets GitHub scan your commits for high-confidence secrets and prevent the commit from going through. It gives you the option to review what is being pushed and should it need to be committed, give a reason as to why.
- Now we are going to create a secret, a GitHub PAT is probably easiest and
MAKE SURE to not give it any permissions. Although the push protection will stop it from being committed and we will delete it afterwards anyways, getting in the habit of keeping things as secure as possible is a very important one to build. So go ahead and try to commit it and if all goes according to plan, GitHub should prevent you from doing so and send you an alert for it.Once again remember to get rid of it afterwards!
Like was mentioned before, security is a habit that should be maintained. Tools like these are meant to help prevent security risks should they come up but that does not mean you as a developer are relieved of that responsibility. Tools like these are helpful but they are not infallable so always be aware of what you are doing and how you can do it in the safest way possible.
- Have a decent grasp of some of GitHub's security features.
- Be able to enable and configure them on your own to help maintain security in your repo's should you need it.
- Know where the results of these features appear in your repository and be able to understand what they mean and how to act on them.