GitHub GitHub-Advanced-Security - GitHub Advanced Security GHAS Exam

These three features provide a complete layer of defense:

Code scanningidentifies security flaws in your source code

Secret scanningdetects exposed credentials

Dependency reviewshows the impact of package changes during a pull request

Together, they give developers actionable insight into risk and coverage throughout the SDLC.

To detect and blockvulnerable dependencies before merge, developers should use theDependency Review GitHub Actionin their pull request workflows. It scans all proposed dependency changes and flags any packages with known vulnerabilities.

This is apreventative measureduring development, unlike Dependabot, which reactsafter the fact.

Youmust enable secret scanningbefore defining custom patterns. Secret scanning provides the foundational capability for detecting exposed credentials, and custom patterns build upon that by allowing organizations to specify their own regex-based patterns for secrets unique to their environment.

Without enabling secret scanning, GitHub will not process or apply custom patterns.

Validity checks, also calledsecret validation, allow GitHub to check if a detected secret isstill active. If verified as live, the alert is marked as"valid", allowing security teams to prioritize the most critical leaks.

Push protectionblockssecrets but does not check their validity. Custom patterns are user-defined and do not include live checks.

When dealing with a data flow issue in a code scanning alert, clicking on "Show paths" provides a detailed view of the data's journey through the code. This includes the source of the data, the path it takes, and where it ends up (the sink). This information is crucial for understanding how untrusted data might reach sensitive parts of your application and helps in identifying where to implement proper validation or sanitization.​

All results from CodeQL analysis appear under therepository’s code scanning alertstab. This section is part of theSecuritytab and provides a list of all current, fixed, and dismissed alerts found by CodeQL.

A CodeQL database is used internally during scanning but does not display results. Query packs contain rules, not results. Security advisories are for published vulnerabilities, not per-repo findings.

The best proactive control ispush protection. It scans for secretsduring a git pushand blocks the commitbeforeit enters the repository.

Other options (like CODEOWNERS or security managers) help with oversight but do not prevent secret leaks.

Making a repo public would increase the risk, not reduce it.

Comprehensive and Detailed Explanation:

Secret scanning push protection is a proactive feature that scans for secrets in your code during the push process. If a secret is detected, the push is blocked, preventing the secret from being added to the repository. This helps prevent accidental exposure of sensitive information.​

GitHub Docs

Secrets committed and then deleted are still accessible in therepository’s Git history. To locate them, navigate to theCommitstab. GitHub's secret scanning can detect secrets in both current and historical commits, which is why remediation should also includerevoking the secret, not just removing it from the latest code.