Code Scanning in GitHub

Using GitHub Code Scanning to find vulnerabilities in your code

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

⚙️ Part of my series on Automating Cybersecurity Metrics. The Code.

🔒 Related Stories: GitHub Security | Application Security | Secure Code

💻 Free Content on Jobs in Cybersecurity | ✉️ Sign up for the Email List

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

I got a call at IANS Research about GitHub security so I was reviewing some of the latest information on the topic and decided to set up GitHub Code Scanning. It’s a pretty cool feature that can help you find problems in your code. Whether or not this code scanning tool works for you depends on a few factors so you’ll have to test it out, but here’s how it works. It just takes a few steps to set it up.

Head over to your repo and click on settings.

Scroll down and click on Code security and analysis.

Under settings click on Code scanning. Click Set up.

I chose the Default option. If you want to explore the Advanced option you can write additional queries to find specific vulnerabilities you are seeking.

I set this up on the repository that contains the code I’m writing for my latest blog series on security metrics automation (and cloud governance):

GitHub - tradichel/SecurityMetricsAutomation

This code is associated with a series of blog posts. Please refer to these posts for more information: Automating…

github.com

It takes a little while for the analysis to complete. After it does, head back to your GitHub repo and if any findings exist there will be a number next to the security link at the top of the repository. I had one. What?!

When I took a look at the finding, it was because I had printed out a password of a piece of test code — which I explicitly told you not to do in production code ever because the password should remain secret and not be exposed on the screen or in logs. Well, that’s an accurate finding!

In addition to what GitHub has to offer, you can integrate code scanning from Other tools. Click on the Explore workflows link.

Here you can choose and test out a number of different tools, such as DevSkim which I’ve used before and is free.

This is a pretty nice feature from GitHub and it’s very easy to set up.

GitHub Code Scanning uses GitHub actions so you’ll want to check the cost of that if you have a lot of repositories to scan.

About billing for GitHub Actions - GitHub Docs

GitHub Actions usage is free for standard GitHub-hosted runners in public repositories, and for self-hosted runners…

docs.github.com

Enjoy and Secure Your Code!

Secure Code By Design

Programming tactics that prevent vulnerabilities and defend applications against cyber attacks

medium.com

Follow for updates.

About Teri Radichel:
~~~~~~~~~~~~~~~~~~~~
⭐️ Author: Cybersecurity Books
⭐️ Presentations: Presentations by Teri Radichel
⭐️ Recognition: SANS Award, AWS Security Hero, IANS Faculty
⭐️ Certifications: SANS ~ GSE 240
⭐️ Education: BA Business, Master of Software Engineering, Master of Infosec
⭐️ Company: Penetration Tests, Assessments, Phone Consulting ~ 2nd Sight Lab

Need Help With Cybersecurity, Cloud, or Application Security?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
🔒 Request a penetration test or security assessment
🔒 Schedule a consulting call
🔒 Cybersecurity Speaker for Presentation

Follow for more stories like this:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
❤️ Sign Up my Medium Email List
❤️ Twitter: @teriradichel
❤️ LinkedIn: https://www.linkedin.com/in/teriradichel
❤️ Mastodon: @teriradichel@infosec.exchange
❤️ Facebook: 2nd Sight Lab
❤️ YouTube: @2ndsightlab

Summarize