GitHub is the preferred platform for millions of developers worldwide, and for good reason. Alongside its version control functionalities, GitHub provides a wealth of security features specially designed to keep your projects safe.
In this guide, we will walk you through the varied features, from security alerts for vulnerable dependencies to secret scanning, to help you fortify your code.
Before we dive deeper, let's understand why we need to focus on securing our code. With cyber threats on the rise, we simply can't ignore the importance of robust security measures. Hackers often exploit weak spots in your code and dependencies, which might be left vulnerable accidentally.
GitHub has automated security features that help mitigate these risks, making your projects resilient to such threats.
You can enable and configure these security features on all repositories, by navigating to the Security & Analysis tab in your organisation's settings.
Or you can also enable/disable security features on individual repositories, by navigating to the Security tab in your repository's settings.
Recommendation: I recommended to enable these features on all repositories (existing and new) in your organisation, and if absolutely necessary, disable the ones you do not need on a per repository basis.
Let's take a look at some of these security features in a bit more detail.
GitHub's Dependabot Alerts monitors your dependencies (viewable under the repository Security > vulnerability alerts > Dependabot) and sends alerts when it encounters any vulnerabilities.
For example, consider you're using an outdated or vulnerable version of a library. Dependabot would send you an alert mentioning the vulnerability, its severity level, and steps to resolve it. Depending on how serious the issue is, GitHub can generate an automated security update to alleviate the risk, bolstering your code's security.
In the rush of development work, it's not uncommon to accidentally commit sensitive details like API keys or passwords. GitHub's Secret Scanning feature comes in handy here.
Suppose you unknowingly committed an Azure Storage Account Access Key to your repository. The Secret Scanning feature, once activated, would identify this and notify you or the secret provider. You can then revoke the compromised secret and generate a new one, thereby preventing any unauthorised access.
Have a look at the supported-secrets for more information.
GitHub's Code Scanning feature, empowered by the semantic analysis engine CodeQL, is a crucial security tool that scans your code for any potential vulnerabilities.
Consider a scenario where a developer unknowingly introduces a SQL injection vulnerability in their code. The Code Scanning feature would identify this vulnerability during its analysis, providing a description of the issue and advice for resolution. This proactive approach to threat detection allows for resolution before any damage occurs.
Have a look at supported languages and frameworks for more information.
If your repository hosts supported CodeQL languages, you can either let GitHub automatically analyse your code by using a default setting or allow you to customise an advanced configuration using a YAML config.
Here is what a default configuration config would looks like:
If your repository does not host supported CodeQL languages, or even if it does, but also contain other languages or frameworks, you can also add third-party code scanning tools in addition to your repository to further enhance your code's security, such as:
- SonarCloud: A cloud-based code analysis service that automatically detects bugs, vulnerabilities, and code smells in your code.
- TfSec: A static analysis security scanner for your Terraform code.
- trivy: Scan Docker container images for vulnerabilities in OS packages and language dependencies.
At the time of this writing there are over 70 third-party code scanning tools/workflows available for use, and the list is growing.
Dependabot Security Updates is a security tool that handles your project dependencies by generating alerts for vulnerabilities as mentioned earlier, but can also create pull requests to update them.
Dependabot Security Updates is a feature of Dependabot, which is a bot that automates dependency updates not just for security, but also for non-security updates, or out of date dependencies, keeping your project up to date.
For instance, if a new version of a dependency you're using is released that fixes a major security flaw, Dependabot would send an alert. It would also raise a pull request to update the dependency version in your project, keeping your project secure without requiring manual intervention.
Here is an example of a Dependabot pull request where it has updated the Terraform AzureRM Provider from version 3.69.0 to 3.71.0:
Have a look at all the supported package ecosystems Dependabot supports for more information.
You can also look at what dependencies are being monitored by Dependabot in your repository by navigating to the Insights tab in your repository.
GitHub allows developers to forge their security policies and advisories by allowing anyone to report security vulnerabilities directly and privately to the maintainers.
- A security policy document assists contributors in understanding how to report a security vulnerability in your project. It's like creating a help page for a user who identifies a potential breach, thereby promoting responsible reporting.
- A security advisory, on the other hand, allows you to interact with users regarding identified vulnerabilities. For example, you could use an advisory to discuss a recently discovered flaw in your project, suggest a workaround, and preview a fix before public disclosure.
When private vulnerability reporting is enabled for a repository, security researchers will see a new button in the Advisories page of the repository. The security researcher can click this button to privately discuss, fix, and publish information about security vulnerabilities in your repository's code.
Have a look at Privately reporting a security vulnerability for more information.
GitHub's security features can drastically help lower the risks of your code getting exploited. By using these tools in concert, you benefit from both proactive detection and resolution of potential vulnerabilities.
Moreover, the value of automating your code security cannot be overstated. With these automated features, you can manage vulnerabilities, dependencies, and other threats all in one place. The ability to find and fix issues before they become problematic means you can continue to write code confidently.
By harnessing the potential of GitHub's security features, you are taking a significant step towards a more secure coding environment. Protecting your code is as crucial as writing it. Lean on GitHub's comprehensive suite of security tools and keep your projects safe and resilient.
I hope you have enjoyed this post and have learned something new. ❤️