GHAS Code Scanning / Secret Scanning
Definition
GitHub Advanced Security (GHAS) provides Code Scanning and Secret Scanning features to enhance application security. Code Scanning analyzes code for vulnerabilities and coding errors, integrating seamlessly into the development workflow to catch issues early. Secret Scanning identifies and alerts on hardcoded secrets, such as API keys and passwords, preventing unauthorized access and data breaches.
Secure Settings Example
# GitHub Actions workflow for code scanning
name: CodeQL
on:
push:
branches: [ main ]
pull_request:
branches: [ main ]
schedule:
- cron: '0 0 * * 0'
jobs:
analyze:
name: Analyze
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Initialize CodeQL
uses: github/codeql-action/init@v2
with:
languages: 'javascript'
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v2
Insecure Settings Example
# GitHub Actions workflow with missing branch protection
name: CodeQL
on:
push:
branches: [ main ]
pull_request:
# Missing branch specification allows scanning on all branches, potentially causing noise
branches: [ '**' ]
jobs:
analyze:
name: Analyze
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Initialize CodeQL
uses: github/codeql-action/init@v2
with:
languages: 'javascript'
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v2