Raf's GHAS Onboarding Checkup

gistfile1.md

Congrats you've done a POC and purchased GHAS! Let's do a more detailed onboarding.

If you did not do a POC or just want to check on the basics, take a look at this guide.

Notifications

• Are we sure the right people are getting Dependabot alerts and Secret Scanning?
• Setup discussions with developers and engineers to review GHAS scan results, ideal developer flow, and integrations.
• Are we using Slack Actions?
• JIRA setup right?
• Do we have a plan and policy for ignores?
• Are we using Security Manager Role
• Define custom repository roles to assign granular permissions like "read/write/delete" code scanning results.

EMU

• Are you seeing all seats i.e. have we provisioned the right org for you?

Dependabot

• Utilize Dependency Review Enforcement. The action scans for vulnerable versions of dependencies or blocked open source licenses introduced in pull requests, and warns you about the associated security vulnerabilities.
• Are we using release branches?
• Are we using topics and filters to filter out noise? i.e. has:update so you're not investigating 'unfixables'
• Plan for transitives?

Secret Scanning

• Are we using custom patterns and CodeQL to find database connection strings?

Code Scanning

• Are we on recent version of CodeQL?
• Do we need to pin CodeQL versions?
• Do we know how to ask for updates to CodeQL queries in the public repo?
• Are we using CI/CD to create templated repos with code scanning?
• Are we using cacheing for CodeQL?
• Test removing unwanted Code Scanning or Secret Scanning Alerts to a "Closed" state by marking as "Used in tests", etc.
• Configure code scanning pull request checks and branch protection rules.
• Optimize your codeql-analysis.yml to avoid unnecessary scans, etc.
• Create a custom CodeQL configuration file to do things like include/exclude specific queries.
• Explore the GHAS API - Code Scanning API - Secret Scanning API
• Use the Parallel Code Scanning Action to parallelize the code scans of interpreted language monorepos by splitting the scanning work into various parallel jobs which will individually analyze only a subset of the files in the repository.
• Write your own CodeQL Query and run it as part of your Code Scans.
• Use the CodeQL VC extension to find unreachable code
• Plan to use multi variant repo analysis?

Additional Integrations

• Get detailed GHAS Metrics Dashboard in your SIEM Solution (Splunk, Azure Sentinel, Datadog, Sumologic, Elastic)
• View and address code scanning results in Visual Studio Code IDE using the Sarif Viewer extension developed by Microsoft DevLabs (Official GitHub Blog Post)
• Define "Policy-as-Code" with the Advanced Security Compliance GitHub Action. Advanced Security Compliance allows users to configure yaml based risk thresholds for security issues reported by GitHub Code Scanning, Secret Scanning and Dependabot Security. Create policies for open source dependency license usage, specific CodeQL rule blocks, time to remediation and more.
• Test out GHAS PR Notifications. A GitHub App that demonstrates how to add detailed code scanning comments to Pull Requests and track closed findings.
• Bulk enable GHAS features (including codeql-analysis.yml) across all of your repositories using the "ghas-enablement" tool.

Reporting

• Variable cost - do we know what runners we're using and on what platforms for scans? What's the anticipated cost per run? And who is aware of the cost and how to chargeback internally if needed?
• Do we know how to monitor for active committer counts?
• Next board level / SLT reporting date communicated to Raf?
• GitHub Advanced Security API to CSV is a "simple GitHub Action to scrape the GitHub Advanced Security API and shove it into a CSV".
• Generate a PDF report for GitHub Advanced Security Code Scan Results and Dependency Vulnerabilities with the GitHub Security Report Action.

Mobile

• Are we in the latest betas for MacOS runners, Kotlin and Swift?
• Are we taking avantage of free Android hardware acceleration?