CINXE.COM
Understanding GitHub Advanced Security for application security testing - GitHub Resources
<!DOCTYPE html><html dir="ltr" lang="en-US"><head><meta charSet="utf-8"/><meta name="viewport" content="width=device-width"/><meta http-equiv="Content-Security-Policy" content="default-src 'none'; script-src 'self' analytics.githubassets.com ghcc.githubassets.com js.monitor.azure.com/scripts/c/ms.analytics-web-4.min.js www.youtube.com; style-src 'self' 'unsafe-inline'; connect-src 'self' browser.events.data.microsoft.com collector.githubapp.com edge.fullstory.com rs.fullstory.com; font-src 'self' data:; img-src 'self' data: github.githubassets.com images.ctfassets.net rs.fullstory.com ad.doubleclick.net pixel.quantserve.com sp.analytics.yahoo.com www.facebook.com px.ads.linkedin.com alb.reddit.com px4.ads.linkedin.com adservice.google.com; manifest-src 'self'; frame-src 'self' www.youtube.com player.vimeo.com play.vidyard.com octocaptcha.com; media-src 'self';"/><link rel="canonical" href="https://resources.github.com/learn/pathways/security/essentials/application-security-testing-github-advanced-security/"/><meta name="ha-url" content="https://collector.githubapp.com/resources/collect"/><meta name="ghcc-locale" content="en-US"/><link rel="apple-touch-icon" sizes="180x180" href="/apple-touch-icon.png"/><link rel="icon" type="image/png" sizes="32x32" href="/favicon-32x32.png"/><link rel="icon" type="image/png" sizes="16x16" href="/favicon-16x16.png"/><link rel="manifest" href="/site.webmanifest"/><link rel="mask-icon" href="/safari-pinned-tab.svg" color="#ab3f8b"/><meta name="apple-mobile-web-app-title" content="GitHub Resources"/><meta name="application-name" content="GitHub Resources"/><meta name="msapplication-TileColor" content="#ab3f8b"/><meta name="theme-color" content="#151920"/><meta name="twitter:card" content="summary_large_image"/><meta name="twitter:site" content="@github"/><meta name="twitter:creator" content="@GitHub"/><meta property="og:url" content="https://resources.github.com/learn/pathways/security/essentials/application-security-testing-github-advanced-security/"/><meta property="og:type" content="website"/><meta property="og:locale" content="en_US"/><meta property="og:site_name" content="GitHub Resources"/><title>Understanding GitHub Advanced Security for application security testing - GitHub Resources</title><meta name="robots" content="index,follow"/><meta name="description" content="Enhance application security testing with GitHub Advanced Security. Discover powerful code scanning & security testing features to protect code from vulnerabilities."/><meta property="og:title" content="Understanding GitHub Advanced Security for application security testing"/><meta property="og:description" content="Enhance application security testing with GitHub Advanced Security. Discover powerful code scanning & security testing features to protect code from vulnerabilities."/><meta property="og:image" content="https://images.ctfassets.net/wfutmusr1t3h/1Gt106FozfDrOsHiKjfRTF/9e7f05449d55e7450fe274af705f5809/S100-1200x630-1.png"/><meta property="og:image:alt" content="Meta Image L100-1 "/><meta property="og:image:width" content="1200"/><meta property="og:image:height" content="630"/><meta name="ha-page-type" content="marketing"/><meta name="next-head-count" content="32"/><link data-next-font="" rel="preconnect" href="/" crossorigin="anonymous"/><link rel="preload" href="/_next/static/css/238ca3e7f90c682f.css" as="style"/><link rel="stylesheet" href="/_next/static/css/238ca3e7f90c682f.css" data-n-g=""/><link rel="preload" href="/_next/static/css/c2a527101433f11d.css" as="style"/><link rel="stylesheet" href="/_next/static/css/c2a527101433f11d.css" data-n-p=""/><noscript data-n-css=""></noscript><script defer="" nomodule="" src="/_next/static/chunks/polyfills-78c92fac7aa8fdd8.js"></script><script src="https://ghcc.githubassets.com/ghcc.min.js" defer="" data-nscript="beforeInteractive"></script><script src="/_next/static/chunks/webpack-38cee4c0e358b1a3.js" defer=""></script><script src="/_next/static/chunks/framework-49c6cecf1f6d5795.js" defer=""></script><script src="/_next/static/chunks/main-43041a92397b9ba5.js" defer=""></script><script src="/_next/static/chunks/pages/_app-4918fa68b0b899e4.js" defer=""></script><script src="/_next/static/chunks/285-f0ec2e7d96e240db.js" defer=""></script><script src="/_next/static/chunks/pages/%5B...path%5D-4685a8a8e88aa8ea.js" defer=""></script><script src="/_next/static/ZokmF09g2SkORXwoG0TZr/_buildManifest.js" defer=""></script><script src="/_next/static/ZokmF09g2SkORXwoG0TZr/_ssgManifest.js" defer=""></script></head><body><div id="__next"><div data-color-mode="light" class="d-flex flex-column"><div id="site-navigation-container" data-color-mode="light" data-light-theme="light" style="z-index:999" class="site-navigation-container position-fixed top-0 width-full color-bg-transparent"><div class="position-relative site-navigation-container--background"><div class="position-absolute nav-dropdown color-bg-white" data-color-mode="light" data-light-theme="light"><div class="container-xl"><form class="d-flex flex-column"><button class="btn-link flex-self-end Link--muted" type="button" aria-label="Close dropdown" data-analytics-click="Search,search pane closed, query: "><svg aria-hidden="true" role="img" class="octicon octicon-x" viewBox="0 0 24 24" width="36" height="36" fill="currentColor" style="display:inline-block;user-select:none;vertical-align:text-bottom;overflow:visible"><path fill-rule="evenodd" d="M5.72 5.72a.75.75 0 011.06 0L12 10.94l5.22-5.22a.75.75 0 111.06 1.06L13.06 12l5.22 5.22a.75.75 0 11-1.06 1.06L12 13.06l-5.22 5.22a.75.75 0 01-1.06-1.06L10.94 12 5.72 6.78a.75.75 0 010-1.06z"></path></svg></button><div class="d-flex flex-column flex-md-row flex-items-center"><input type="text" class="search-input form-control input-lg color-bg-transparent color-fg-muted flex-1 width-full mb-3 mb-md-0 mr-0 mr-md-3" placeholder="What are you looking for?" autofocus="" value=""/><button class="btn-mktg arrow-target-mktg flex-shrink-0 width-full width-md-auto">Search</button></div></form></div></div><ul class="position-absolute nav-dropdown mobile-nav pt-8 pb-4 color-bg-dark color-fg-white d-lg-none" data-color-mode="dark" data-dark-theme="dark"><div class="container-sm px-6 overflow-auto height-full"><div class="d-flex flex-column color-bg-dark height-full flex-justify-between"><div></div><div class="d-flex flex-column d-md-none"></div></div></div></ul><header data-testid="site-navigation-mobile" class="site-navigation d-lg-none"><nav class="container-xl py-1" aria-label="Site navigation"><div class="d-flex flex-items-center flex-justify-between"><a title="Visit GitHub Resources" class="gh-icon Header-link" data-testid="navigation-home-link-mobile" href="/"><svg aria-hidden="true" role="img" class="octicon octicon-mark-github" viewBox="0 0 16 16" width="32" height="32" fill="currentColor" style="display:inline-block;user-select:none;vertical-align:text-bottom;overflow:visible"><path fill-rule="evenodd" d="M8 0C3.58 0 0 3.58 0 8c0 3.54 2.29 6.53 5.47 7.59.4.07.55-.17.55-.38 0-.19-.01-.82-.01-1.49-2.01.37-2.53-.49-2.69-.94-.09-.23-.48-.94-.82-1.13-.28-.15-.68-.52-.01-.53.63-.01 1.08.58 1.23.82.72 1.21 1.87.87 2.33.66.07-.52.28-.87.51-1.07-1.78-.2-3.64-.89-3.64-3.95 0-.87.31-1.59.82-2.15-.08-.2-.36-1.02.08-2.12 0 0 .67-.21 2.2.82.64-.18 1.32-.27 2-.27.68 0 1.36.09 2 .27 1.53-1.04 2.2-.82 2.2-.82.44 1.1.16 1.92.08 2.12.51.56.82 1.27.82 2.15 0 3.07-1.87 3.75-3.65 3.95.29.25.54.73.54 1.48 0 1.07-.01 1.93-.01 2.2 0 .21.15.46.55.38A8.013 8.013 0 0016 8c0-4.42-3.58-8-8-8z"></path></svg></a><div class="d-none d-md-flex d-lg-none"></div></div></nav></header><header data-testid="site-navigation" class="site-navigation"><nav class="container-xl py-1 d-none d-lg-flex flex-items-center flex-justify-between" aria-label="Site navigation"><ul class="d-flex flex-items-center"><li><a href="https://github.com" target="_blank" rel="noreferrer" class="gh-icon Header-link d-none d-lg-block py-3 position-relative" aria-label="GitHub homepage"><svg aria-hidden="true" role="img" class="nav-back-arrow position-absolute" viewBox="0 0 24 24" width="32" height="32" fill="currentColor" style="display:inline-block;user-select:none;vertical-align:text-bottom;overflow:visible"><path fill-rule="evenodd" d="M15.28 5.22a.75.75 0 00-1.06 0l-6.25 6.25a.75.75 0 000 1.06l6.25 6.25a.75.75 0 101.06-1.06L9.56 12l5.72-5.72a.75.75 0 000-1.06z"></path></svg><svg aria-hidden="true" role="img" class="octicon octicon-mark-github" viewBox="0 0 16 16" width="32" height="32" fill="currentColor" style="display:inline-block;user-select:none;vertical-align:text-bottom;overflow:visible"><path fill-rule="evenodd" d="M8 0C3.58 0 0 3.58 0 8c0 3.54 2.29 6.53 5.47 7.59.4.07.55-.17.55-.38 0-.19-.01-.82-.01-1.49-2.01.37-2.53-.49-2.69-.94-.09-.23-.48-.94-.82-1.13-.28-.15-.68-.52-.01-.53.63-.01 1.08.58 1.23.82.72 1.21 1.87.87 2.33.66.07-.52.28-.87.51-1.07-1.78-.2-3.64-.89-3.64-3.95 0-.87.31-1.59.82-2.15-.08-.2-.36-1.02.08-2.12 0 0 .67-.21 2.2.82.64-.18 1.32-.27 2-.27.68 0 1.36.09 2 .27 1.53-1.04 2.2-.82 2.2-.82.44 1.1.16 1.92.08 2.12.51.56.82 1.27.82 2.15 0 3.07-1.87 3.75-3.65 3.95.29.25.54.73.54 1.48 0 1.07-.01 1.93-.01 2.2 0 .21.15.46.55.38A8.013 8.013 0 0016 8c0-4.42-3.58-8-8-8z"></path></svg></a></li><li class="d-flex flex-items-center"><span class="ml-3 f1-mktg f2-md-mktg opacity-30">/</span><a data-testid="navigation-home-link" data-analytics-click="Navigation, go to homepage" class="d-none d-lg-inline-block Header-link font-weight-semibold p-3 f2" aria-label="GitHub resources homepage" href="/">Resources</a></li></ul><ul class="d-flex flex-items-center"></ul><div class="site-navigation--background position-absolute top-0 bottom-0 left-0 right-0"></div></nav></header></div></div><main class="flex-1 position-relative"><div class="mkt-landing-page pb-8"><div class="flex-1 position-relative"><section class="color-bg-dark color-fg-white text-center pb-10 pt-16 px-3 guide-header mb-8" data-nav=""><span style="box-sizing:border-box;display:block;overflow:hidden;width:initial;height:initial;background:none;opacity:1;border:0;margin:0;padding:0;position:absolute;top:0;left:0;bottom:0;right:0"><img alt="Guards guarding a castle" src="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7" decoding="async" data-nimg="fill" style="position:absolute;top:0;left:0;bottom:0;right:0;box-sizing:border-box;padding:0;border:none;margin:auto;display:block;width:0;height:0;min-width:100%;max-width:100%;min-height:100%;max-height:100%;object-fit:cover"/><noscript><img alt="Guards guarding a castle" loading="lazy" decoding="async" data-nimg="fill" style="position:absolute;top:0;left:0;bottom:0;right:0;box-sizing:border-box;padding:0;border:none;margin:auto;display:block;width:0;height:0;min-width:100%;max-width:100%;min-height:100%;max-height:100%;object-fit:cover" sizes="100vw" srcSet="https://images.ctfassets.net/wfutmusr1t3h/4AAODHNOlIYCjXTNkH3Ge0/c5600399cfdfdf54edc6a9b2915f7380/Untitled__4_.png?w=544&q=75 544w, https://images.ctfassets.net/wfutmusr1t3h/4AAODHNOlIYCjXTNkH3Ge0/c5600399cfdfdf54edc6a9b2915f7380/Untitled__4_.png?w=768&q=75 768w, https://images.ctfassets.net/wfutmusr1t3h/4AAODHNOlIYCjXTNkH3Ge0/c5600399cfdfdf54edc6a9b2915f7380/Untitled__4_.png?w=1012&q=75 1012w, https://images.ctfassets.net/wfutmusr1t3h/4AAODHNOlIYCjXTNkH3Ge0/c5600399cfdfdf54edc6a9b2915f7380/Untitled__4_.png?w=1280&q=75 1280w" src="https://images.ctfassets.net/wfutmusr1t3h/4AAODHNOlIYCjXTNkH3Ge0/c5600399cfdfdf54edc6a9b2915f7380/Untitled__4_.png?w=1280&q=75"/></noscript></span></section><div class="d-flex flex-items-start container-xl"><aside class="articles-sidebar sidebar d-none d-md-block mr-6"><p id="guide-sidebar-toc" class="text-mono gradient-fg-purple-red f4-mktg mb-3">Security<span class="sr-only"> table of contents.</span></p><nav aria-labelledby="guide-sidebar-toc"><ul class="list-style-none"><li><span class="Primer_Brand__Text-module__Text___pecHN Primer_Brand__Text-module__Text-font--mona-sans___GpzSG Primer_Brand__Text-module__Text--default___DChoE Primer_Brand__Text-module__Text--100___csEom"><button class="py-1 mb-1 border-0 color-bg-transparent width-full" style="display:flex;justify-content:space-between" aria-expanded="false" aria-label="Show the nested links">Essentials<span style="float:right"><svg aria-hidden="true" role="img" class="octicon octicon-chevron-down" viewBox="0 0 16 16" width="16" height="16" fill="currentColor" style="display:inline-block;user-select:none;vertical-align:text-bottom;overflow:visible"><path fill-rule="evenodd" d="M12.78 6.22a.75.75 0 010 1.06l-4.25 4.25a.75.75 0 01-1.06 0L3.22 7.28a.75.75 0 011.06-1.06L8 9.94l3.72-3.72a.75.75 0 011.06 0z"></path></svg></span></button></span></li><li><span class="Primer_Brand__Text-module__Text___pecHN Primer_Brand__Text-module__Text-font--mona-sans___GpzSG Primer_Brand__Text-module__Text--default___DChoE Primer_Brand__Text-module__Text--100___csEom"><button class="py-1 mb-1 border-0 color-bg-transparent width-full" style="display:flex;justify-content:space-between" aria-expanded="false" aria-label="Show the nested links">Intermediate<span style="float:right"><svg aria-hidden="true" role="img" class="octicon octicon-chevron-down" viewBox="0 0 16 16" width="16" height="16" fill="currentColor" style="display:inline-block;user-select:none;vertical-align:text-bottom;overflow:visible"><path fill-rule="evenodd" d="M12.78 6.22a.75.75 0 010 1.06l-4.25 4.25a.75.75 0 01-1.06 0L3.22 7.28a.75.75 0 011.06-1.06L8 9.94l3.72-3.72a.75.75 0 011.06 0z"></path></svg></span></button></span></li><li><span class="Primer_Brand__Text-module__Text___pecHN Primer_Brand__Text-module__Text-font--mona-sans___GpzSG Primer_Brand__Text-module__Text--default___DChoE Primer_Brand__Text-module__Text--100___csEom"><button class="py-1 mb-1 border-0 color-bg-transparent width-full" style="display:flex;justify-content:space-between" aria-expanded="false" aria-label="Show the nested links">Advanced<span style="float:right"><svg aria-hidden="true" role="img" class="octicon octicon-chevron-down" viewBox="0 0 16 16" width="16" height="16" fill="currentColor" style="display:inline-block;user-select:none;vertical-align:text-bottom;overflow:visible"><path fill-rule="evenodd" d="M12.78 6.22a.75.75 0 010 1.06l-4.25 4.25a.75.75 0 01-1.06 0L3.22 7.28a.75.75 0 011.06-1.06L8 9.94l3.72-3.72a.75.75 0 011.06 0z"></path></svg></span></button></span></li><li><span class="Primer_Brand__Text-module__Text___pecHN Primer_Brand__Text-module__Text-font--mona-sans___GpzSG Primer_Brand__Text-module__Text--default___DChoE Primer_Brand__Text-module__Text--100___csEom"><button class="py-1 mb-1 border-0 color-bg-transparent width-full" style="display:flex;justify-content:space-between" aria-expanded="false" aria-label="Show the nested links">More Learning Pathways<span style="float:right"><svg aria-hidden="true" role="img" class="octicon octicon-chevron-down" viewBox="0 0 16 16" width="16" height="16" fill="currentColor" style="display:inline-block;user-select:none;vertical-align:text-bottom;overflow:visible"><path fill-rule="evenodd" d="M12.78 6.22a.75.75 0 010 1.06l-4.25 4.25a.75.75 0 01-1.06 0L3.22 7.28a.75.75 0 011.06-1.06L8 9.94l3.72-3.72a.75.75 0 011.06 0z"></path></svg></span></button></span></li></ul></nav></aside><main class="Layout-main"><header class="mb-4 mb-md-6"><h1 class="h3-mktg mb-3">Understanding GitHub Advanced Security</h1></header><div class="text-mono text-left"><div class="d-flex flex-items-center pb-4"><div class="flex-shrink-0 mr-3"><span class="Primer_Brand__Avatar-module__Avatar___QrJMw Primer_Brand__Avatar-module__Avatar--size-48___TvwXR Primer_Brand__Avatar-module__Avatar--shape-circle___VvaB7" data-testid="Avatar"><img class="Primer_Brand__Avatar-module__Avatar__image___AajXN" src="//images.ctfassets.net/wfutmusr1t3h/lGT4vwbEHGrEwL3zQIV2c/50e0f8c6862c29566c6fb8dec30b3d42/Nicholas_Liffen_GitHub.jpeg" alt="Nicholas Liffen" data-testid="Avatar__image"/></span></div><div class="d-flex flex-column justify-content-center"><span class="Primer_Brand__Text-module__Text___pecHN Primer_Brand__Text-module__Text-font--mona-sans___GpzSG Primer_Brand__Text-module__Text--default___DChoE Primer_Brand__Text-module__Text--300___TBQTB">Nicholas Liffen<span class="Primer_Brand__Text-module__Text___pecHN Primer_Brand__Text-module__Text-font--mona-sans___GpzSG Primer_Brand__Text-module__Text--muted___lTaVa Primer_Brand__Text-module__Text--300___TBQTB"> // Director, GitHub Advanced Security<!-- --> <!-- -->// GitHub</span></span></div></div></div><div class="markdown-body contained my-4"><p>GitHub Advanced Security (GHAS) is a developer-first application security testing solution that brings GitHub's world-class security capabilities to public and private repositories. Most of GitHub Advanced Security features are free for public repositories but require a GitHub Advanced Security license for private repositories. It only takes a few clicks to get started. Right out of the box, you'll benefit from highly curated detection and remediation capabilities crafted by some of the world's best security engineers to ensure your code and software supply chain are as secure as possible. It's fully automated, so once enabled, you don't have to remember to run GHAS tests or wait for a security review before merging.</p><p class="Primer_Brand__Text-module__Text___pecHN Primer_Brand__Text-module__Text-font--mona-sans___GpzSG Primer_Brand__Text-module__Text--default___DChoE Primer_Brand__Text-module__Text--200___XAIGT">Before we dive into enabling and using GHAS, let's take some time to get familiar with its primary capabilities. TELUS, will share some insights into the company鈥檚 use of GitHub Advanced Security to help you along your way. </p><hr/><p class="Primer_Brand__Text-module__Text___pecHN Primer_Brand__Text-module__Text-font--mona-sans___GpzSG Primer_Brand__Text-module__Text--default___DChoE Primer_Brand__Text-module__Text--200___XAIGT">In this guide you will learn:</p><ul><li><p class="Primer_Brand__Text-module__Text___pecHN Primer_Brand__Text-module__Text-font--mona-sans___GpzSG Primer_Brand__Text-module__Text--default___DChoE Primer_Brand__Text-module__Text--200___XAIGT">What detection methods GHAS includes聽</p></li><li><p class="Primer_Brand__Text-module__Text___pecHN Primer_Brand__Text-module__Text-font--mona-sans___GpzSG Primer_Brand__Text-module__Text--default___DChoE Primer_Brand__Text-module__Text--200___XAIGT">How the different features help secure various parts of your software</p></li><li><p class="Primer_Brand__Text-module__Text___pecHN Primer_Brand__Text-module__Text-font--mona-sans___GpzSG Primer_Brand__Text-module__Text--default___DChoE Primer_Brand__Text-module__Text--200___XAIGT">What capabilities are available to report on your security progress</p></li></ul><hr/><p class="Primer_Brand__Text-module__Text___pecHN Primer_Brand__Text-module__Text-font--mona-sans___GpzSG Primer_Brand__Text-module__Text--default___DChoE Primer_Brand__Text-module__Text--200___XAIGT"></p><h2>Secret scanning</h2><p class="Primer_Brand__Text-module__Text___pecHN Primer_Brand__Text-module__Text-font--mona-sans___GpzSG Primer_Brand__Text-module__Text--default___DChoE Primer_Brand__Text-module__Text--200___XAIGT">Secret scanning protects you from accidentally leaking tokens and other secrets by searching your entire repository, including git history and issues, for any pattern-based credentials that may have been committed to a codebase. Secret scanning tests for over 200 token types and is supported by a partner program of approximately 150 service providers to detect leaked secrets across common tools you use when developing software. You can also define over 500 custom patterns across your organization for your unique or proprietary secrets to ensure they are detected as well. You can even use regular expressions to create custom patterns. Secret scanning鈥檚 push protection feature provides preventative protection that actively warns developers when committing new secrets to a repository.</p><p class="Primer_Brand__Text-module__Text___pecHN Primer_Brand__Text-module__Text-font--mona-sans___GpzSG Primer_Brand__Text-module__Text--default___DChoE Primer_Brand__Text-module__Text--200___XAIGT"> </p><h2>Code scanning</h2><p class="Primer_Brand__Text-module__Text___pecHN Primer_Brand__Text-module__Text-font--mona-sans___GpzSG Primer_Brand__Text-module__Text--default___DChoE Primer_Brand__Text-module__Text--200___XAIGT">Code scanning is GitHub鈥檚 application security testing interface. It鈥檚 home to GitHub's static analysis solution, CodeQL, a semantic analysis engine that can uncover not just known vulnerabilities but unknown variations, potentially unsafe coding practices, and other code quality issues.</p><p class="Primer_Brand__Text-module__Text___pecHN Primer_Brand__Text-module__Text-font--mona-sans___GpzSG Primer_Brand__Text-module__Text--default___DChoE Primer_Brand__Text-module__Text--200___XAIGT"> </p><p class="Primer_Brand__Text-module__Text___pecHN Primer_Brand__Text-module__Text-font--mona-sans___GpzSG Primer_Brand__Text-module__Text--default___DChoE Primer_Brand__Text-module__Text--200___XAIGT">CodeQL prepares code for analysis by creating a database of a repository鈥檚 code, which provides a "built" version of the users' code represented as structured data that CodeQL uses to understand the data flow of the application, rather than just scanning the static code without context. CodeQL then executes a series of queries against the repository鈥檚 entire CodeQL database.聽</p><p class="Primer_Brand__Text-module__Text___pecHN Primer_Brand__Text-module__Text-font--mona-sans___GpzSG Primer_Brand__Text-module__Text--default___DChoE Primer_Brand__Text-module__Text--200___XAIGT"> </p><p class="Primer_Brand__Text-module__Text___pecHN Primer_Brand__Text-module__Text-font--mona-sans___GpzSG Primer_Brand__Text-module__Text--default___DChoE Primer_Brand__Text-module__Text--200___XAIGT">You can write your own queries, but GitHub provides thousands of queries that cover the most critical types of vulnerabilities. For example, the combination of our default CodeQL and Dependabot queries will help ensure you stay <a href="https://owasp.org/www-project-top-ten/" class="Primer_Brand__InlineLink-module__InlineLink___U_Ama">OWASP Top 10</a> and <a href="https://www.sans.org/top25-software-errors/" class="Primer_Brand__InlineLink-module__InlineLink___U_Ama">SANS Top 25</a> compliant. These queries have been selected for their high level of accuracy, ensuring a low false positive rate for the user.</p><div class="customer-voice border color-border-default position-relative d-flex px-16"><div><div class="contained my-4"><p class="Primer_Brand__Text-module__Text___pecHN Primer_Brand__Text-module__Text-font--mona-sans___GpzSG Primer_Brand__Text-module__Text--default___DChoE Primer_Brand__Text-module__Text--200___XAIGT"><b>The CodeQL default queries meet the majority of our needs. </b>We're starting to see some teams write custom queries as developers become more familiar with the platform, but we still get a ton of value by just using the defaults.</p></div><div class="text-mono text-left"><div class="d-flex flex-items-center pb-4"><div class="flex-shrink-0 mr-3"><span class="Primer_Brand__Avatar-module__Avatar___QrJMw Primer_Brand__Avatar-module__Avatar--size-48___TvwXR Primer_Brand__Avatar-module__Avatar--shape-circle___VvaB7" data-testid="Avatar"><img class="Primer_Brand__Avatar-module__Avatar__image___AajXN" src="//images.ctfassets.net/wfutmusr1t3h/74YoK6ZSOrhetwCnTH42Xj/e54a3361e8f254a648e06d9942e20840/Untitled__13_.png" alt="Justin Watts" data-testid="Avatar__image"/></span></div><div class="d-flex flex-column justify-content-center"><span class="Primer_Brand__Text-module__Text___pecHN Primer_Brand__Text-module__Text-font--mona-sans___GpzSG Primer_Brand__Text-module__Text--default___DChoE Primer_Brand__Text-module__Text--300___TBQTB">Justin Watts<span class="Primer_Brand__Text-module__Text___pecHN Primer_Brand__Text-module__Text-font--mona-sans___GpzSG Primer_Brand__Text-module__Text--muted___lTaVa Primer_Brand__Text-module__Text--300___TBQTB"> // Director, Engineering Productivity<!-- --> <!-- -->// TELUS</span></span></div></div></div></div></div><p class="Primer_Brand__Text-module__Text___pecHN Primer_Brand__Text-module__Text-font--mona-sans___GpzSG Primer_Brand__Text-module__Text--default___DChoE Primer_Brand__Text-module__Text--200___XAIGT"></p><p class="Primer_Brand__Text-module__Text___pecHN Primer_Brand__Text-module__Text-font--mona-sans___GpzSG Primer_Brand__Text-module__Text--default___DChoE Primer_Brand__Text-module__Text--200___XAIGT"> </p><p class="Primer_Brand__Text-module__Text___pecHN Primer_Brand__Text-module__Text-font--mona-sans___GpzSG Primer_Brand__Text-module__Text--default___DChoE Primer_Brand__Text-module__Text--200___XAIGT">In addition to CodeQL, code scanning can be used to view and interact with any other application security tool that produces a file in the SARIF (Static Analysis Results Interchange Format) standard. GitHub provides over 70 out-of-the-box GitHub Actions to automatically integrate popular open source and commercial application security solutions from many categories, including dynamic analysis, code quality, and container security. Results from these integrations are surfaced through the code scanning interface and are displayed in the same format as CodeQL, providing a consistent experience across tooling.</p><p class="Primer_Brand__Text-module__Text___pecHN Primer_Brand__Text-module__Text-font--mona-sans___GpzSG Primer_Brand__Text-module__Text--default___DChoE Primer_Brand__Text-module__Text--200___XAIGT"> </p><h2>Supply chain security</h2><p class="Primer_Brand__Text-module__Text___pecHN Primer_Brand__Text-module__Text-font--mona-sans___GpzSG Primer_Brand__Text-module__Text--default___DChoE Primer_Brand__Text-module__Text--200___XAIGT">As the home of open source, GitHub offers many Supply Chain Security features for free to honor our commitment to make open source usage secure for everyone. This includes access to GitHub鈥檚 <a href="https://github.com/advisories" class="Primer_Brand__InlineLink-module__InlineLink___U_Ama">Advisory Database</a> and <a href="https://securitylab.github.com/" class="Primer_Brand__InlineLink-module__InlineLink___U_Ama">Security Lab</a> research, which host the most robust, relevant, and accurate sources of open source vulnerability data in the world, as well as dependency graph, which summarizes your dependencies, and Dependabot, which identifies vulnerabilities in dependencies and suggests automatic ways to fix, patch, or update them.</p><p class="Primer_Brand__Text-module__Text___pecHN Primer_Brand__Text-module__Text-font--mona-sans___GpzSG Primer_Brand__Text-module__Text--default___DChoE Primer_Brand__Text-module__Text--200___XAIGT"> </p><p class="Primer_Brand__Text-module__Text___pecHN Primer_Brand__Text-module__Text-font--mona-sans___GpzSG Primer_Brand__Text-module__Text--default___DChoE Primer_Brand__Text-module__Text--200___XAIGT">To extend these capabilities for enterprise users, GHAS offers supply chain security tailored for the enterprise, like dependency review, a proactive feature that helps prevent insecure dependencies from making it into private repositories.</p><p class="Primer_Brand__Text-module__Text___pecHN Primer_Brand__Text-module__Text-font--mona-sans___GpzSG Primer_Brand__Text-module__Text--default___DChoE Primer_Brand__Text-module__Text--200___XAIGT"> </p><h2>Reporting</h2><p class="Primer_Brand__Text-module__Text___pecHN Primer_Brand__Text-module__Text-font--mona-sans___GpzSG Primer_Brand__Text-module__Text--default___DChoE Primer_Brand__Text-module__Text--200___XAIGT">Once you enable GHAS features, you can report on your security posture and adoption with security overview. Security overview provides a high-level view into how application security efforts are performing over time, while also providing granular filtering capabilities to identify and prioritize problematic areas of the codebase that require immediate attention.</p><h2>Up next: <a href="https://resources.github.com/learn/pathways/security/essentials/enabling-github-advanced-security" class="Primer_Brand__InlineLink-module__InlineLink___U_Ama">Enabling GitHub Advanced Security</a></h2><p class="Primer_Brand__Text-module__Text___pecHN Primer_Brand__Text-module__Text-font--mona-sans___GpzSG Primer_Brand__Text-module__Text--default___DChoE Primer_Brand__Text-module__Text--200___XAIGT">Now that you know what each of these features do, <a href="https://resources.github.com/learn/pathways/security/essentials/enabling-github-advanced-security" class="Primer_Brand__InlineLink-module__InlineLink___U_Ama">let鈥檚 go ahead and turn them on</a>. You might be surprised how easy it is!</p></div></main></div></div></div></main></div></div><script id="__NEXT_DATA__" type="application/json">{"props":{"pageProps":{"page":{"metadata":{"tags":[],"concepts":[]},"sys":{"space":{"sys":{"type":"Link","linkType":"Space","id":"wfutmusr1t3h"}},"id":"2dSMF0PlELjldCPiveByy2","type":"Entry","createdAt":"2023-09-22T22:37:33.039Z","updatedAt":"2023-09-22T22:37:33.039Z","environment":{"sys":{"id":"master","type":"Link","linkType":"Environment"}},"publishedVersion":9,"revision":1,"contentType":{"sys":{"type":"Link","linkType":"ContentType","id":"page"}}},"fields":{"path":"/learn/pathways/security/essentials/application-security-testing-github-advanced-security","content":{"metadata":{"tags":[],"concepts":[]},"sys":{"space":{"sys":{"type":"Link","linkType":"Space","id":"wfutmusr1t3h"}},"id":"3tHW6d55CcQk0LqGlnM6Mj","type":"Entry","createdAt":"2023-09-22T22:37:33.111Z","updatedAt":"2024-11-05T13:58:06.424Z","environment":{"sys":{"id":"master","type":"Link","linkType":"Environment"}},"publishedVersion":133,"revision":38,"contentType":{"sys":{"type":"Link","linkType":"ContentType","id":"guidePage"}}},"fields":{"internalTitle":"S100-1 Understanding GitHub Advanced Security","hero":{"metadata":{"tags":[],"concepts":[]},"sys":{"space":{"sys":{"type":"Link","linkType":"Space","id":"wfutmusr1t3h"}},"id":"5pydlSaRlKVUbm7FlgzHgK","type":"Entry","createdAt":"2023-09-22T22:37:33.179Z","updatedAt":"2023-09-22T22:37:33.179Z","environment":{"sys":{"id":"master","type":"Link","linkType":"Environment"}},"publishedVersion":3,"revision":1,"contentType":{"sys":{"type":"Link","linkType":"ContentType","id":"sectionHero"}}},"fields":{"title":"Understanding GitHub Advanced Security - Hero","hero":{"metadata":{"tags":[],"concepts":[]},"sys":{"space":{"sys":{"type":"Link","linkType":"Space","id":"wfutmusr1t3h"}},"id":"5F98idbhCW080fgLkZVUlj","type":"Entry","createdAt":"2023-09-22T22:37:33.263Z","updatedAt":"2024-11-26T11:20:18.359Z","environment":{"sys":{"id":"master","type":"Link","linkType":"Environment"}},"publishedVersion":93,"revision":45,"contentType":{"sys":{"type":"Link","linkType":"ContentType","id":"primerComponentHero"}}},"fields":{"title":"Understanding GitHub Advanced Security - Hero","heading":"Understanding GitHub Advanced Security","text":"GitHub Advanced Security (GHAS) is a developer-first application security testing solution that brings GitHub's world-class security capabilities to public and private repositories. Most of GitHub Advanced Security features are free for public repositories but require a GitHub Advanced Security license for private repositories. It only takes a few clicks to get started. Right out of the box, you'll benefit from highly curated detection and remediation capabilities crafted by some of the world's best security engineers to ensure your code and software supply chain are as secure as possible. It's fully automated, so once enabled, you don't have to remember to run GHAS tests or wait for a security review before merging.","align":"Left"}},"backgroundImage":{"metadata":{"tags":[],"concepts":[]},"sys":{"space":{"sys":{"type":"Link","linkType":"Space","id":"wfutmusr1t3h"}},"id":"4AAODHNOlIYCjXTNkH3Ge0","type":"Asset","createdAt":"2023-09-22T22:35:07.965Z","updatedAt":"2023-09-22T22:35:07.965Z","environment":{"sys":{"id":"master","type":"Link","linkType":"Environment"}},"publishedVersion":9,"revision":1},"fields":{"title":"Learning Pathways - Security - Essentials of GitHub Advanced Security","description":"Guards guarding a castle","file":{"url":"//images.ctfassets.net/wfutmusr1t3h/4AAODHNOlIYCjXTNkH3Ge0/c5600399cfdfdf54edc6a9b2915f7380/Untitled__4_.png","details":{"size":441292,"image":{"width":1500,"height":500}},"fileName":"Untitled (4).png","contentType":"image/png"}}},"theme":"light"}},"sidebar":{"metadata":{"tags":[],"concepts":[]},"sys":{"space":{"sys":{"type":"Link","linkType":"Space","id":"wfutmusr1t3h"}},"id":"6XWkwiI7xdkMUhEo922BIl","type":"Entry","createdAt":"2023-09-22T22:35:08.247Z","updatedAt":"2024-11-05T14:01:05.208Z","environment":{"sys":{"id":"master","type":"Link","linkType":"Environment"}},"publishedVersion":61,"revision":29,"contentType":{"sys":{"type":"Link","linkType":"ContentType","id":"guideSidebar"}}},"fields":{"title":"Security","links":[{"metadata":{"tags":[],"concepts":[]},"sys":{"space":{"sys":{"type":"Link","linkType":"Space","id":"wfutmusr1t3h"}},"id":"53mcmG19ZgTsMoNwEEAo5W","type":"Entry","createdAt":"2023-09-22T22:35:08.338Z","updatedAt":"2024-11-05T14:01:07.812Z","environment":{"sys":{"id":"master","type":"Link","linkType":"Environment"}},"publishedVersion":82,"revision":34,"contentType":{"sys":{"type":"Link","linkType":"ContentType","id":"guideLink"}}},"fields":{"text":"Essentials","href":"#","nestedLinks":[{"metadata":{"tags":[],"concepts":[]},"sys":{"space":{"sys":{"type":"Link","linkType":"Space","id":"wfutmusr1t3h"}},"id":"53MlvHtpiKmtfEPfQxZ4OM","type":"Entry","createdAt":"2023-09-28T17:57:21.339Z","updatedAt":"2024-11-05T14:01:10.396Z","environment":{"sys":{"id":"master","type":"Link","linkType":"Environment"}},"publishedVersion":69,"revision":33,"contentType":{"sys":{"type":"Link","linkType":"ContentType","id":"guideLink"}}},"fields":{"text":"Essentials of security: Begin with the Basics","href":"https://resources.github.com/learn/pathways/security/essentials/essentials-github-advanced-security/"}},{"metadata":{"tags":[],"concepts":[]},"sys":{"space":{"sys":{"type":"Link","linkType":"Space","id":"wfutmusr1t3h"}},"id":"3FR33HJ5q3aEKtaemHaaK4","type":"Entry","createdAt":"2023-09-22T22:35:08.359Z","updatedAt":"2024-11-05T14:01:16.019Z","environment":{"sys":{"id":"master","type":"Link","linkType":"Environment"}},"publishedVersion":73,"revision":33,"contentType":{"sys":{"type":"Link","linkType":"ContentType","id":"guideLink"}}},"fields":{"text":"Guide 1: Understanding GitHub Advanced Security","href":"/learn/pathways/security/essentials/application-security-testing-github-advanced-security"}},{"metadata":{"tags":[],"concepts":[]},"sys":{"space":{"sys":{"type":"Link","linkType":"Space","id":"wfutmusr1t3h"}},"id":"1gVNiCritY9HJC6g9Q2OOE","type":"Entry","createdAt":"2023-09-22T22:35:08.377Z","updatedAt":"2024-11-05T14:01:18.571Z","environment":{"sys":{"id":"master","type":"Link","linkType":"Environment"}},"publishedVersion":73,"revision":33,"contentType":{"sys":{"type":"Link","linkType":"ContentType","id":"guideLink"}}},"fields":{"text":"Guide 2: Enabling GitHub Advanced Security","href":"/learn/pathways/security/essentials/enabling-github-advanced-security"}},{"metadata":{"tags":[],"concepts":[]},"sys":{"space":{"sys":{"type":"Link","linkType":"Space","id":"wfutmusr1t3h"}},"id":"33qwN9teVTywElQBE73mBY","type":"Entry","createdAt":"2023-09-22T22:35:08.397Z","updatedAt":"2024-11-05T14:01:21.186Z","environment":{"sys":{"id":"master","type":"Link","linkType":"Environment"}},"publishedVersion":71,"revision":33,"contentType":{"sys":{"type":"Link","linkType":"ContentType","id":"guideLink"}}},"fields":{"text":"Guide 3: Reviewing GitHub Advanced Security scan results","href":"/learn/pathways/security/essentials/reviewing-github-advanced-security-scan-results"}},{"metadata":{"tags":[],"concepts":[]},"sys":{"space":{"sys":{"type":"Link","linkType":"Space","id":"wfutmusr1t3h"}},"id":"4aXkaA8Jbs9WYnHEGqVKYr","type":"Entry","createdAt":"2023-09-22T22:35:08.427Z","updatedAt":"2024-11-05T14:01:23.866Z","environment":{"sys":{"id":"master","type":"Link","linkType":"Environment"}},"publishedVersion":74,"revision":33,"contentType":{"sys":{"type":"Link","linkType":"ContentType","id":"guideLink"}}},"fields":{"text":"Essentials module on GitHub Advanced Security wrap-up","href":"/learn/pathways/security/essentials/github-advanced-security-essentials-wrap-up"}}]}},{"metadata":{"tags":[],"concepts":[]},"sys":{"space":{"sys":{"type":"Link","linkType":"Space","id":"wfutmusr1t3h"}},"id":"1LXbWRV0eKeiMC3kPbYc1F","type":"Entry","createdAt":"2023-09-22T22:35:08.451Z","updatedAt":"2024-11-05T14:01:26.371Z","environment":{"sys":{"id":"master","type":"Link","linkType":"Environment"}},"publishedVersion":79,"revision":34,"contentType":{"sys":{"type":"Link","linkType":"ContentType","id":"guideLink"}}},"fields":{"text":"Intermediate","href":"#","nestedLinks":[{"metadata":{"tags":[],"concepts":[]},"sys":{"space":{"sys":{"type":"Link","linkType":"Space","id":"wfutmusr1t3h"}},"id":"6JgiUT3XStTeQsGjHf5Mzp","type":"Entry","createdAt":"2023-09-28T17:57:21.395Z","updatedAt":"2024-11-05T14:01:29.032Z","environment":{"sys":{"id":"master","type":"Link","linkType":"Environment"}},"publishedVersion":68,"revision":33,"contentType":{"sys":{"type":"Link","linkType":"ContentType","id":"guideLink"}}},"fields":{"text":"Intermediate security: Continue your journey","href":"/learn/pathways/security/intermediate/intermediate-guides-github-advanced-security"}},{"metadata":{"tags":[],"concepts":[]},"sys":{"space":{"sys":{"type":"Link","linkType":"Space","id":"wfutmusr1t3h"}},"id":"7anHuslK5cFDXXhYasHCvb","type":"Entry","createdAt":"2023-09-22T22:35:08.512Z","updatedAt":"2024-11-05T14:01:31.376Z","environment":{"sys":{"id":"master","type":"Link","linkType":"Environment"}},"publishedVersion":70,"revision":33,"contentType":{"sys":{"type":"Link","linkType":"ContentType","id":"guideLink"}}},"fields":{"text":"Guide 1: Advanced CodeQL setup","href":"/learn/pathways/security/intermediate/codeql-advanced-setup"}},{"metadata":{"tags":[],"concepts":[]},"sys":{"space":{"sys":{"type":"Link","linkType":"Space","id":"wfutmusr1t3h"}},"id":"1NCyrcJbYCGdHeJumxTZiY","type":"Entry","createdAt":"2023-09-22T22:35:08.534Z","updatedAt":"2024-11-05T14:01:34.032Z","environment":{"sys":{"id":"master","type":"Link","linkType":"Environment"}},"publishedVersion":69,"revision":33,"contentType":{"sys":{"type":"Link","linkType":"ContentType","id":"guideLink"}}},"fields":{"text":"Guide 2: Fine-tune testing scope with CodeQL ","href":"/learn/pathways/security/intermediate/fine-tune-testing-scope-with-codeql"}},{"metadata":{"tags":[],"concepts":[]},"sys":{"space":{"sys":{"type":"Link","linkType":"Space","id":"wfutmusr1t3h"}},"id":"6wtE6ongGYLzaJggB3wcwZ","type":"Entry","createdAt":"2023-09-22T22:35:08.552Z","updatedAt":"2024-11-05T14:01:36.565Z","environment":{"sys":{"id":"master","type":"Link","linkType":"Environment"}},"publishedVersion":70,"revision":33,"contentType":{"sys":{"type":"Link","linkType":"ContentType","id":"guideLink"}}},"fields":{"text":"Guide 3: Extend your testing with third-party tools with GitHub code scanning","href":"/learn/pathways/security/intermediate/third-party-tools-integration-code-scanning"}},{"metadata":{"tags":[],"concepts":[]},"sys":{"space":{"sys":{"type":"Link","linkType":"Space","id":"wfutmusr1t3h"}},"id":"5e4Rl6gw8lNIGisZ0SY0cB","type":"Entry","createdAt":"2023-09-22T22:35:08.567Z","updatedAt":"2024-11-05T14:01:39.028Z","environment":{"sys":{"id":"master","type":"Link","linkType":"Environment"}},"publishedVersion":70,"revision":33,"contentType":{"sys":{"type":"Link","linkType":"ContentType","id":"guideLink"}}},"fields":{"text":"Guide 4: Customizing the scope of secret scanning","href":"/learn/pathways/security/intermediate/customizing-secret-scanning-scope"}},{"metadata":{"tags":[],"concepts":[]},"sys":{"space":{"sys":{"type":"Link","linkType":"Space","id":"wfutmusr1t3h"}},"id":"5YJ6xU4J41yGTphobMwNLH","type":"Entry","createdAt":"2023-09-22T22:35:08.583Z","updatedAt":"2024-11-05T14:01:41.561Z","environment":{"sys":{"id":"master","type":"Link","linkType":"Environment"}},"publishedVersion":70,"revision":33,"contentType":{"sys":{"type":"Link","linkType":"ContentType","id":"guideLink"}}},"fields":{"text":"Guide 5: Customize dependency review configuration","href":"/learn/pathways/security/intermediate/customize-dependency-review-configuration"}},{"metadata":{"tags":[],"concepts":[]},"sys":{"space":{"sys":{"type":"Link","linkType":"Space","id":"wfutmusr1t3h"}},"id":"1orz4rBUz3uY9x5z7iJIuK","type":"Entry","createdAt":"2023-09-22T22:35:08.605Z","updatedAt":"2024-11-05T14:01:44.492Z","environment":{"sys":{"id":"master","type":"Link","linkType":"Environment"}},"publishedVersion":72,"revision":33,"contentType":{"sys":{"type":"Link","linkType":"ContentType","id":"guideLink"}}},"fields":{"text":"Intermediate module on GitHub Advanced Security wrap-up","href":"/learn/pathways/security/intermediate/intermediate-security-module-wrap-up"}}]}},{"metadata":{"tags":[],"concepts":[]},"sys":{"space":{"sys":{"type":"Link","linkType":"Space","id":"wfutmusr1t3h"}},"id":"3BktEGh7bBRM7f75nBHxg4","type":"Entry","createdAt":"2023-09-22T22:35:08.623Z","updatedAt":"2024-11-05T14:01:53.004Z","environment":{"sys":{"id":"master","type":"Link","linkType":"Environment"}},"publishedVersion":81,"revision":35,"contentType":{"sys":{"type":"Link","linkType":"ContentType","id":"guideLink"}}},"fields":{"text":"Advanced","href":"#","nestedLinks":[{"metadata":{"tags":[],"concepts":[]},"sys":{"space":{"sys":{"type":"Link","linkType":"Space","id":"wfutmusr1t3h"}},"id":"2fP3eA7vPxY0T2JuAAG3Xd","type":"Entry","createdAt":"2023-09-28T17:57:21.414Z","updatedAt":"2024-11-05T14:01:55.828Z","environment":{"sys":{"id":"master","type":"Link","linkType":"Environment"}},"publishedVersion":67,"revision":33,"contentType":{"sys":{"type":"Link","linkType":"ContentType","id":"guideLink"}}},"fields":{"text":"Advanced security: Become the expert","href":"/learn/pathways/security/advanced/advanced-module-github-advanced-security"}},{"metadata":{"tags":[],"concepts":[]},"sys":{"space":{"sys":{"type":"Link","linkType":"Space","id":"wfutmusr1t3h"}},"id":"3eDAWMsHiA2M7dqjGiBwN8","type":"Entry","createdAt":"2023-09-22T22:35:08.645Z","updatedAt":"2024-11-05T14:01:58.450Z","environment":{"sys":{"id":"master","type":"Link","linkType":"Environment"}},"publishedVersion":71,"revision":33,"contentType":{"sys":{"type":"Link","linkType":"ContentType","id":"guideLink"}}},"fields":{"text":"Guide 1: Create a central CodeQL configuration file","href":"/learn/pathways/security/advanced/creating-central-codeql-configuration"}},{"metadata":{"tags":[],"concepts":[]},"sys":{"space":{"sys":{"type":"Link","linkType":"Space","id":"wfutmusr1t3h"}},"id":"77w0DKfMS36admfWKP1X0b","type":"Entry","createdAt":"2023-09-22T22:35:08.664Z","updatedAt":"2024-11-05T14:02:01.151Z","environment":{"sys":{"id":"master","type":"Link","linkType":"Environment"}},"publishedVersion":71,"revision":33,"contentType":{"sys":{"type":"Link","linkType":"ContentType","id":"guideLink"}}},"fields":{"text":"Guide 2: Understand your end-to-end software supply chain","href":"/learn/pathways/security/advanced/understanding-software-supply-chain"}},{"metadata":{"tags":[],"concepts":[]},"sys":{"space":{"sys":{"type":"Link","linkType":"Space","id":"wfutmusr1t3h"}},"id":"L8ycMhpQHcKqAvVH7KVsX","type":"Entry","createdAt":"2023-09-22T22:35:08.683Z","updatedAt":"2024-11-05T14:02:03.832Z","environment":{"sys":{"id":"master","type":"Link","linkType":"Environment"}},"publishedVersion":71,"revision":33,"contentType":{"sys":{"type":"Link","linkType":"ContentType","id":"guideLink"}}},"fields":{"text":"Advanced module on GitHub Advanced Security wrap-up","href":"/learn/pathways/security/advanced/advanced-security-module-wrap-up"}}]}},{"metadata":{"tags":[],"concepts":[]},"sys":{"space":{"sys":{"type":"Link","linkType":"Space","id":"wfutmusr1t3h"}},"id":"5E3xgSxzLnCU0UvPVeGEVg","type":"Entry","createdAt":"2023-09-22T22:35:08.699Z","updatedAt":"2024-11-05T14:02:06.444Z","environment":{"sys":{"id":"master","type":"Link","linkType":"Environment"}},"publishedVersion":75,"revision":35,"contentType":{"sys":{"type":"Link","linkType":"ContentType","id":"guideLink"}}},"fields":{"text":"More Learning Pathways","href":"#","nestedLinks":[{"metadata":{"tags":[],"concepts":[]},"sys":{"space":{"sys":{"type":"Link","linkType":"Space","id":"wfutmusr1t3h"}},"id":"1z8RkcTKn6pIVTD1Tb1rmE","type":"Entry","createdAt":"2023-09-22T21:30:24.656Z","updatedAt":"2024-11-05T14:02:09.020Z","environment":{"sys":{"id":"master","type":"Link","linkType":"Environment"}},"publishedVersion":113,"revision":53,"contentType":{"sys":{"type":"Link","linkType":"ContentType","id":"guideLink"}}},"fields":{"text":"Start your automation pathway","href":"/learn/pathways/automation"}},{"metadata":{"tags":[],"concepts":[]},"sys":{"space":{"sys":{"type":"Link","linkType":"Space","id":"wfutmusr1t3h"}},"id":"3FlwdbhjNquuTLKDWb1xaT","type":"Entry","createdAt":"2023-09-22T22:35:08.736Z","updatedAt":"2024-11-05T14:00:44.529Z","environment":{"sys":{"id":"master","type":"Link","linkType":"Environment"}},"publishedVersion":114,"revision":52,"contentType":{"sys":{"type":"Link","linkType":"ContentType","id":"guideLink"}}},"fields":{"text":"Start your governance pathway","href":"/learn/pathways/administration-governance/"}},{"metadata":{"tags":[],"concepts":[]},"sys":{"space":{"sys":{"type":"Link","linkType":"Space","id":"wfutmusr1t3h"}},"id":"3wDJPLZunotkpdqrxZo0Bg","type":"Entry","createdAt":"2024-02-27T17:27:58.016Z","updatedAt":"2024-11-05T14:00:47.234Z","environment":{"sys":{"id":"master","type":"Link","linkType":"Environment"}},"publishedVersion":71,"revision":34,"contentType":{"sys":{"type":"Link","linkType":"ContentType","id":"guideLink"}}},"fields":{"text":"Start your GitHub Copilot pathway","href":"/learn/pathways/copilot/essentials/essentials-of-github-copilot"}}]}}]}},"authors":[{"metadata":{"tags":[],"concepts":[]},"sys":{"space":{"sys":{"type":"Link","linkType":"Space","id":"wfutmusr1t3h"}},"id":"1qkBXdtCIFRb44aOyCNYDb","type":"Entry","createdAt":"2023-09-22T22:35:08.755Z","updatedAt":"2024-11-26T10:48:09.920Z","environment":{"sys":{"id":"master","type":"Link","linkType":"Environment"}},"publishedVersion":100,"revision":48,"contentType":{"sys":{"type":"Link","linkType":"ContentType","id":"person"}}},"fields":{"name":"Nicholas Liffen","avatar":{"metadata":{"tags":[],"concepts":[]},"sys":{"space":{"sys":{"type":"Link","linkType":"Space","id":"wfutmusr1t3h"}},"id":"lGT4vwbEHGrEwL3zQIV2c","type":"Asset","createdAt":"2023-09-22T22:35:07.970Z","updatedAt":"2024-03-11T21:05:06.581Z","environment":{"sys":{"id":"master","type":"Link","linkType":"Environment"}},"publishedVersion":8,"revision":2},"fields":{"title":"Nicholas Liffen avatar","description":"Nicholas Liffen avatar","file":{"url":"//images.ctfassets.net/wfutmusr1t3h/lGT4vwbEHGrEwL3zQIV2c/50e0f8c6862c29566c6fb8dec30b3d42/Nicholas_Liffen_GitHub.jpeg","details":{"size":84243,"image":{"width":800,"height":800}},"fileName":"Nicholas Liffen GitHub.jpeg","contentType":"image/jpeg"}}},"title":"Director, GitHub Advanced Security","company":"GitHub"}}],"body":{"data":{},"content":[{"data":{},"content":[{"data":{},"marks":[],"value":"Before we dive into enabling and using GHAS, let's take some time to get familiar with its primary capabilities. TELUS, will share some insights into the company鈥檚 use of GitHub Advanced Security to help you along your way.\n","nodeType":"text"}],"nodeType":"paragraph"},{"data":{},"content":[],"nodeType":"hr"},{"data":{},"content":[{"data":{},"marks":[],"value":"In this guide you will learn:","nodeType":"text"}],"nodeType":"paragraph"},{"data":{},"content":[{"data":{},"content":[{"data":{},"content":[{"data":{},"marks":[],"value":"What detection methods GHAS includes聽","nodeType":"text"}],"nodeType":"paragraph"}],"nodeType":"list-item"},{"data":{},"content":[{"data":{},"content":[{"data":{},"marks":[],"value":"How the different features help secure various parts of your software","nodeType":"text"}],"nodeType":"paragraph"}],"nodeType":"list-item"},{"data":{},"content":[{"data":{},"content":[{"data":{},"marks":[],"value":"What capabilities are available to report on your security progress","nodeType":"text"}],"nodeType":"paragraph"}],"nodeType":"list-item"}],"nodeType":"unordered-list"},{"data":{},"content":[],"nodeType":"hr"},{"data":{},"content":[{"data":{},"marks":[],"value":"","nodeType":"text"}],"nodeType":"paragraph"},{"data":{},"content":[{"data":{},"marks":[],"value":"Secret scanning","nodeType":"text"}],"nodeType":"heading-2"},{"data":{},"content":[{"data":{},"marks":[],"value":"Secret scanning protects you from accidentally leaking tokens and other secrets by searching your entire repository, including git history and issues, for any pattern-based credentials that may have been committed to a codebase. Secret scanning tests for over 200 token types and is supported by a partner program of approximately 150 service providers to detect leaked secrets across common tools you use when developing software. You can also define over 500 custom patterns across your organization for your unique or proprietary secrets to ensure they are detected as well. You can even use regular expressions to create custom patterns. Secret scanning鈥檚 push protection feature provides preventative protection that actively warns developers when committing new secrets to a repository.","nodeType":"text"}],"nodeType":"paragraph"},{"data":{},"content":[{"data":{},"marks":[],"value":"\n","nodeType":"text"}],"nodeType":"paragraph"},{"data":{},"content":[{"data":{},"marks":[],"value":"Code scanning","nodeType":"text"}],"nodeType":"heading-2"},{"data":{},"content":[{"data":{},"marks":[],"value":"Code scanning is GitHub鈥檚 application security testing interface. It鈥檚 home to GitHub's static analysis solution, CodeQL, a semantic analysis engine that can uncover not just known vulnerabilities but unknown variations, potentially unsafe coding practices, and other code quality issues.","nodeType":"text"}],"nodeType":"paragraph"},{"data":{},"content":[{"data":{},"marks":[],"value":"\n","nodeType":"text"}],"nodeType":"paragraph"},{"data":{},"content":[{"data":{},"marks":[],"value":"CodeQL prepares code for analysis by creating a database of a repository鈥檚 code, which provides a \"built\" version of the users' code represented as structured data that CodeQL uses to understand the data flow of the application, rather than just scanning the static code without context. CodeQL then executes a series of queries against the repository鈥檚 entire CodeQL database.聽","nodeType":"text"}],"nodeType":"paragraph"},{"data":{},"content":[{"data":{},"marks":[],"value":"\n","nodeType":"text"}],"nodeType":"paragraph"},{"data":{},"content":[{"data":{},"marks":[],"value":"You can write your own queries, but GitHub provides thousands of queries that cover the most critical types of vulnerabilities. For example, the combination of our default CodeQL and Dependabot queries will help ensure you stay ","nodeType":"text"},{"data":{"uri":"https://owasp.org/www-project-top-ten/"},"content":[{"data":{},"marks":[],"value":"OWASP Top 10","nodeType":"text"}],"nodeType":"hyperlink"},{"data":{},"marks":[],"value":" and ","nodeType":"text"},{"data":{"uri":"https://www.sans.org/top25-software-errors/"},"content":[{"data":{},"marks":[],"value":"SANS Top 25","nodeType":"text"}],"nodeType":"hyperlink"},{"data":{},"marks":[],"value":" compliant. These queries have been selected for their high level of accuracy, ensuring a low false positive rate for the user.","nodeType":"text"}],"nodeType":"paragraph"},{"data":{"target":{"metadata":{"tags":[],"concepts":[]},"sys":{"space":{"sys":{"type":"Link","linkType":"Space","id":"wfutmusr1t3h"}},"id":"18MIxZmc8Afh113vkjr1K8","type":"Entry","createdAt":"2023-09-22T22:37:33.331Z","updatedAt":"2024-11-05T13:52:24.520Z","environment":{"sys":{"id":"master","type":"Link","linkType":"Environment"}},"publishedVersion":31,"revision":14,"contentType":{"sys":{"type":"Link","linkType":"ContentType","id":"bodyCustomerVoice"}}},"fields":{"internalTitle":"The CodeQL default queries meet the majority of our needs. We're starting to see some teams write ","people":[{"metadata":{"tags":[],"concepts":[]},"sys":{"space":{"sys":{"type":"Link","linkType":"Space","id":"wfutmusr1t3h"}},"id":"5YY4gZ4Rf8quNbAfzqo2KV","type":"Entry","createdAt":"2023-09-22T22:37:33.352Z","updatedAt":"2024-11-26T10:51:40.186Z","environment":{"sys":{"id":"master","type":"Link","linkType":"Environment"}},"publishedVersion":61,"revision":27,"contentType":{"sys":{"type":"Link","linkType":"ContentType","id":"person"}}},"fields":{"name":"Justin Watts","avatar":{"metadata":{"tags":[],"concepts":[]},"sys":{"space":{"sys":{"type":"Link","linkType":"Space","id":"wfutmusr1t3h"}},"id":"74YoK6ZSOrhetwCnTH42Xj","type":"Asset","createdAt":"2023-09-22T22:37:32.931Z","updatedAt":"2023-09-22T22:37:32.931Z","environment":{"sys":{"id":"master","type":"Link","linkType":"Environment"}},"publishedVersion":4,"revision":1},"fields":{"title":"Justin Watts","description":"Justin Watts","file":{"url":"//images.ctfassets.net/wfutmusr1t3h/74YoK6ZSOrhetwCnTH42Xj/e54a3361e8f254a648e06d9942e20840/Untitled__13_.png","details":{"size":7498,"image":{"width":100,"height":100}},"fileName":"Untitled (13).png","contentType":"image/png"}}},"title":"Director, Engineering Productivity","company":"TELUS"}}],"quote":{"data":{},"content":[{"data":{},"content":[{"data":{},"marks":[{"type":"bold"}],"value":"The CodeQL default queries meet the majority of our needs. ","nodeType":"text"},{"data":{},"marks":[],"value":"We're starting to see some teams write custom queries as developers become more familiar with the platform, but we still get a ton of value by just using the defaults.","nodeType":"text"}],"nodeType":"paragraph"}],"nodeType":"document"}}}},"content":[],"nodeType":"embedded-entry-block"},{"data":{},"content":[{"data":{},"marks":[],"value":"","nodeType":"text"}],"nodeType":"paragraph"},{"data":{},"content":[{"data":{},"marks":[],"value":"\n","nodeType":"text"}],"nodeType":"paragraph"},{"data":{},"content":[{"data":{},"marks":[],"value":"In addition to CodeQL, code scanning can be used to view and interact with any other application security tool that produces a file in the SARIF (Static Analysis Results Interchange Format) standard. GitHub provides over 70 out-of-the-box GitHub Actions to automatically integrate popular open source and commercial application security solutions from many categories, including dynamic analysis, code quality, and container security. Results from these integrations are surfaced through the code scanning interface and are displayed in the same format as CodeQL, providing a consistent experience across tooling.","nodeType":"text"}],"nodeType":"paragraph"},{"data":{},"content":[{"data":{},"marks":[],"value":"\n","nodeType":"text"}],"nodeType":"paragraph"},{"data":{},"content":[{"data":{},"marks":[],"value":"Supply chain security","nodeType":"text"}],"nodeType":"heading-2"},{"data":{},"content":[{"data":{},"marks":[],"value":"As the home of open source, GitHub offers many Supply Chain Security features for free to honor our commitment to make open source usage secure for everyone. This includes access to GitHub鈥檚 ","nodeType":"text"},{"data":{"uri":"https://github.com/advisories"},"content":[{"data":{},"marks":[],"value":"Advisory Database","nodeType":"text"}],"nodeType":"hyperlink"},{"data":{},"marks":[],"value":" and ","nodeType":"text"},{"data":{"uri":"https://securitylab.github.com/"},"content":[{"data":{},"marks":[],"value":"Security Lab","nodeType":"text"}],"nodeType":"hyperlink"},{"data":{},"marks":[],"value":" research, which host the most robust, relevant, and accurate sources of open source vulnerability data in the world, as well as dependency graph, which summarizes your dependencies, and Dependabot, which identifies vulnerabilities in dependencies and suggests automatic ways to fix, patch, or update them.","nodeType":"text"}],"nodeType":"paragraph"},{"data":{},"content":[{"data":{},"marks":[],"value":"\n","nodeType":"text"}],"nodeType":"paragraph"},{"data":{},"content":[{"data":{},"marks":[],"value":"To extend these capabilities for enterprise users, GHAS offers supply chain security tailored for the enterprise, like dependency review, a proactive feature that helps prevent insecure dependencies from making it into private repositories.","nodeType":"text"}],"nodeType":"paragraph"},{"data":{},"content":[{"data":{},"marks":[],"value":"\n","nodeType":"text"}],"nodeType":"paragraph"},{"data":{},"content":[{"data":{},"marks":[],"value":"Reporting","nodeType":"text"}],"nodeType":"heading-2"},{"data":{},"content":[{"data":{},"marks":[],"value":"Once you enable GHAS features, you can report on your security posture and adoption with security overview. Security overview provides a high-level view into how application security efforts are performing over time, while also providing granular filtering capabilities to identify and prioritize problematic areas of the codebase that require immediate attention.","nodeType":"text"}],"nodeType":"paragraph"},{"data":{},"content":[{"data":{},"marks":[],"value":"Up next: ","nodeType":"text"},{"data":{"uri":"https://resources.github.com/learn/pathways/security/essentials/enabling-github-advanced-security"},"content":[{"data":{},"marks":[],"value":"Enabling GitHub Advanced Security","nodeType":"text"}],"nodeType":"hyperlink"},{"data":{},"marks":[],"value":"","nodeType":"text"}],"nodeType":"heading-2"},{"data":{},"content":[{"data":{},"marks":[],"value":"Now that you know what each of these features do, ","nodeType":"text"},{"data":{"uri":"https://resources.github.com/learn/pathways/security/essentials/enabling-github-advanced-security"},"content":[{"data":{},"marks":[],"value":"let鈥檚 go ahead and turn them on","nodeType":"text"}],"nodeType":"hyperlink"},{"data":{},"marks":[],"value":". You might be surprised how easy it is!","nodeType":"text"}],"nodeType":"paragraph"}],"nodeType":"document"}}},"seo":{"metadata":{"tags":[],"concepts":[]},"sys":{"space":{"sys":{"type":"Link","linkType":"Space","id":"wfutmusr1t3h"}},"id":"19rkvxNlEXU6bYqXVm1Baf","type":"Entry","createdAt":"2023-09-22T22:37:33.536Z","updatedAt":"2024-10-03T12:26:58.120Z","environment":{"sys":{"id":"master","type":"Link","linkType":"Environment"}},"publishedVersion":68,"revision":31,"contentType":{"sys":{"type":"Link","linkType":"ContentType","id":"seo"}}},"fields":{"metaTitle":"Understanding GitHub Advanced Security for application security testing","metaDescription":"Enhance application security testing with GitHub Advanced Security. Discover powerful code scanning \u0026 security testing features to protect code from vulnerabilities.","metaImage":{"metadata":{"tags":[],"concepts":[]},"sys":{"space":{"sys":{"type":"Link","linkType":"Space","id":"wfutmusr1t3h"}},"id":"1Gt106FozfDrOsHiKjfRTF","type":"Asset","createdAt":"2023-10-12T19:46:48.997Z","updatedAt":"2023-10-12T19:46:48.997Z","environment":{"sys":{"id":"master","type":"Link","linkType":"Environment"}},"publishedVersion":8,"revision":1},"fields":{"title":"Meta Image L100-1 ","description":"","file":{"url":"//images.ctfassets.net/wfutmusr1t3h/1Gt106FozfDrOsHiKjfRTF/9e7f05449d55e7450fe274af705f5809/S100-1200x630-1.png","details":{"size":263343,"image":{"width":1200,"height":630}},"fileName":"S100-1200x630-1.png","contentType":"image/png"}}}}}}},"path":"/learn/pathways/security/essentials/application-security-testing-github-advanced-security","indexData":null,"type":"guidePage","featureFlags":{"featureEnabledNewFormsService":false,"featureEnabledNewAppNavigation":true,"featureEnableSearch":false},"config":{"formsEndpoint":"https://marketing-forms-api.github.com/"}},"__N_SSP":true},"page":"/[...path]","query":{"path":["learn","pathways","security","essentials","application-security-testing-github-advanced-security"]},"buildId":"ZokmF09g2SkORXwoG0TZr","isFallback":false,"isExperimentalCompile":false,"gssp":true,"locale":"en-US","locales":["en-US","ja","pt-BR","es-419","ko-KR"],"defaultLocale":"en-US","scriptLoader":[]}</script><div id="ghcc" style="position:sticky;bottom:0;z-index:99999"></div></body></html>