Configuring GitHub Advanced Security for GitHub and Azure DevOps

Configuring GitHub Advanced Security for GitHub and Azure DevOps

GitHub Advanced Security (GHAS) is a suite of security features designed to help developers identify and resolve vulnerabilities within their code. It includes powerful tools for code scanning, secret scanning, dependency reviews, and security advisories.

When integrated with Azure DevOps, GHAS enables security scanning across repositories, CI/CD pipelines, and workflows, ensuring both code and cloud environments are continuously monitored for vulnerabilities.

Below is a detailed guide on how to configure GitHub Advanced Security for both GitHub and Azure DevOps, including key components and features for each platform.

Key Components of GitHub Advanced Security

GitHub Advanced Security includes several features designed to protect code and improve the security of your development lifecycle. The core components of GHAS are:

1. Code Scanning:

• Automatically scans your code for security vulnerabilities by integrating GitHub Actions with CodeQL or other security tools.

• Results appear in the Security tab of your GitHub repository.

• Can be configured to run on pull requests, pushes, or on a scheduled basis.

2. Secret Scanning:

• Detects API keys, passwords, or other sensitive information exposed in the code or commit history.

• Secret scanning flags secrets in the code and prevents accidental leaks of private data.

• Can be extended to scan for specific secrets defined by the organization.

3. Dependency Reviews:

• Provides insights into vulnerabilities in third-party dependencies (e.g., npm, Python, etc.).

• Displays a detailed report on vulnerabilities in dependencies and suggests updates or fixes.

• Works with Dependabot to automatically update insecure dependencies.

4. Custom Auto-Triage Rules:

• Allows you to create custom rules for automating the triage of security findings.

• Automatically labels, assigns, or ignores issues based on predefined criteria.

• Enables more efficient management of security alerts, especially in large teams or repositories.

5. Security Advisories:

• Allows teams to create, publish, and manage security advisories for vulnerabilities found in repositories.

• Advisories can be shared publicly or privately, helping you communicate security risks to the wider community or your users.

GitHub Advanced Security for GitHub Repositories

Step 1: Enable GitHub Advanced Security

To get started with GHAS on GitHub, follow these steps:

1. GitHub Repository Settings:

   • Navigate to the repository where you want to enable GHAS.

   • Under Settings, go to the Security & analysis section.

   • Enable the following features:

     • Code scanning: Enable CodeQL or another compatible tool.

     • Secret scanning: Automatically detect secrets in the code.

     • Dependency review: Enable dependency review for vulnerable packages.

     • GitHub Advanced Security: Enable if it's not already active (required for certain advanced features like auto-triage).

2. Configure Code Scanning (CodeQL):

Use GitHub Actions to create a CodeQL workflow:

Create a .github/workflows/codeql-analysis.yml file in your repository with the following content:

xxxxxxxxxx
17
1
name: "CodeQL Analysis"
2
on:
3
  push:
4
    branches: [main]
5
  pull_request:
6
    branches: [main]
7
jobs:
8
  analyze:
9
    name: Analyze Code with CodeQL
10
    runs-on: ubuntu-latest
11
    steps:
12
      - name: Checkout code
13
        uses: actions/checkout@v2
14
      - name: Set up CodeQL
15
        uses: github/codeql-action/setup@v2
16
      - name: Perform CodeQL analysis
17
        uses: github/codeql-action/analyze@v2

This workflow will scan your code on every push or pull request and report findings under the Security tab.

3. Configure Secret Scanning:

• To detect sensitive information in your repository, enable Secret scanning.

• GitHub automatically scans for common secrets such as AWS keys, API tokens, and OAuth tokens.

• For custom secret scanning (e.g., organization-specific secrets), use the GitHub Secrets API or define custom patterns.

4. Enable Dependency Review:

• Automatically review the dependencies in your repository using Dependabot.

• In the Security & analysis section of your repository settings, enable Dependency review and configure Dependabot.

• Dependabot will automatically open pull requests to update dependencies when vulnerabilities are found.

5. Manage Security Advisories:

• Create security advisories from the Security tab of your repository by selecting Advisories.

• When a vulnerability is identified in your repository, create an advisory and provide details about the issue and possible fixes.

• You can set the advisory as public or private.

GitHub Advanced Security for Azure DevOps

Azure DevOps does not have the same built-in GitHub Advanced Security features, but you can integrate GHAS tools like Secret Scanning, Code Scanning, Dependency Scanning, and others into your Azure DevOps CI/CD pipelines.

Step 2: Set Up GitHub Advanced Security in Azure DevOps Pipelines

To integrate GitHub Advanced Security tools into Azure DevOps, follow these steps:

Secret Scanning in Azure DevOps (Push Protection and Repo Scanning)

• Push Protection:

  • Azure DevOps doesn't natively support GitHub’s Secret Scanning Push Protection, but you can use a combination of GitHub’s native secret scanning and Azure DevOps pipeline policies.

  • In GitHub, you can enable secret scanning for repositories, which will automatically scan pushed code for sensitive data (e.g., passwords, API keys).

  • You can configure Azure DevOps Git Hooks or pre-push hooks in local repositories to prevent secrets from being pushed to GitHub.

• Secret Scanning in Repositories:

  • Use GitHub Advanced Security secret scanning within your repositories to automatically detect exposed secrets in code that is pushed to GitHub.

  • This works automatically as part of GitHub’s native secret scanning feature.

2. Dependency Scanning in Azure DevOps Pipelines

• Enable Dependency Scanning:

  • Use GitHub’s Dependabot integrated with your Azure DevOps pipeline to keep dependencies updated. If you’re using GitHub-hosted repositories:

  • Configure Dependabot in GitHub to run on your repository.

  • Dependabot will submit pull requests to update vulnerable dependencies. These changes can be synchronized with your Azure DevOps pipelines for further validation.

  • If you're using Azure DevOps repositories, you can use tools like WhiteSource or SonarCloud (integrated into Azure DevOps) for dependency scanning. These tools help to identify vulnerabilities in open-source components and dependencies.

3. Code Scanning in Azure DevOps Pipelines

• Set Up Code Scanning with GitHub Actions:

  • GitHub Advanced Security integrates with GitHub Actions. To run security scans on code in Azure DevOps, you can invoke GitHub Actions workflows within Azure DevOps pipelines.

  • Example: You can use GitHub Actions in your Azure DevOps pipeline to trigger code scanning (e.g., CodeQL) as follows:

  xxxxxxxxxx
  13
  1
  trigger:
  2
  branches:
  3
     include:
  4
        - main
  5
  pool:
  6
  vmImage: 'ubuntu-latest'
  7
  steps:
  8
  - task: UseGitHubAction@1
  9
     inputs:
  10
        githubActionName: 'codeql-action'
  11
        repository: '<your-github-repo>'
  12
        githubToken: $(githubToken)
  13
        arguments: '--branch $(Build.SourceBranch)'
  

• Integrate CodeQL in Azure DevOps:

  • You can integrate CodeQL directly in Azure DevOps pipelines using custom tasks or by invoking GitHub Actions (as mentioned above). Alternatively, use tools like SonarQube to scan code for vulnerabilities directly within the Azure DevOps pipeline.

Custom Auto-Triage Rules

Custom Auto-Triage Rules in GitHub Advanced Security allow for automated management of security alerts. This can be extremely useful in large-scale environments where manual triage of security alerts is time-consuming.

Here's how to configure it:

1. Create Auto-Triage Rules in GitHub:

• In the Security tab of your GitHub repository, go to Code scanning alerts.

• Select Manage auto-triage rules.

• Create rules based on conditions like severity, affected paths, and alert categories.

These rules will:

• Automatically label issues.

• Assign them to specific team members.

• Close low-severity issues.

2. Integrate Auto-Triage with Azure DevOps:

Use GitHub Actions in Azure DevOps to automate responses to detected vulnerabilities.

Example:

Use GitHub’s REST API to trigger actions in your Azure DevOps pipeline when a vulnerability is found.

Summary

Integrating GitHub Advanced Security with Azure DevOps provides comprehensive security throughout the development lifecycle. By using GitHub’s powerful tools like Code Scanning, Secret Scanning, Dependency Review, and Security Advisories, alongside Azure DevOps' CI/CD pipeline features, teams can enhance their DevSecOps practices.

For GitHub repositories, enabling these features directly within the repository settings is straightforward. For Azure DevOps, integrating GitHub's security tools with Azure DevOps CI/CD pipelines provides additional flexibility and enhances overall security.

By configuring these tools correctly, organizations can ensure a more secure development and deployment process, mitigating risks from vulnerabilities in code, secrets, and dependencies early in the development cycle.