|
| 1 | +# GitHub Advanced Security |
| 2 | + |
| 3 | +[GitHub Advanced Security (GHAS)](https://docs.github.com/en/get-started/learning-about-github/about-github-advanced-security) is GitHub's suite of built-in security features. It is enabled on every repository in the Defra GitHub organisation. |
| 4 | + |
| 5 | +GHAS includes: |
| 6 | + |
| 7 | +- **Secret scanning** - detects secrets such as API keys and tokens committed to code |
| 8 | +- **Push protection** - proactively blocks pushes that contain detected secrets |
| 9 | +- **Dependabot** - identifies vulnerable or outdated dependencies and can automatically raise pull requests to address them |
| 10 | +- **Code scanning** - performs static analysis to surface potential security vulnerabilities in code |
| 11 | + |
| 12 | +Teams should maximise use of these built-in features. See the [security standards](../standards/security_standards.md) for configuration expectations. |
| 13 | + |
| 14 | +## Secret scanning |
| 15 | + |
| 16 | +GitHub scans all commits for secrets such as passwords, API keys, and tokens. Alerts appear under the **Security and Quality** tab in your repository and are also visible in the [Defra security overview](https://github.com/orgs/DEFRA/security/overview). |
| 17 | + |
| 18 | +There are two types of alert: |
| 19 | + |
| 20 | +- **Default alerts** - match GitHub's known secret patterns, plus any custom patterns added for the Defra organisation. These are higher confidence. |
| 21 | +- **Generic alerts** - detected by GitHub's AI analysis and do not follow a known provider pattern. These have a higher rate of false positives. |
| 22 | + |
| 23 | +Alerts indicate _potential_ secret exposure that needs investigation, not confirmed exposure. Archived repositories are included in secret scanning results - even though the code is no longer maintained, the secret value may still be active. |
| 24 | + |
| 25 | +View all secret scanning alerts for the Defra org: |
| 26 | + |
| 27 | +- [Default secret alerts](https://github.com/orgs/DEFRA/security/alerts/secret-scanning) |
| 28 | +- [Generic secret alerts](https://github.com/orgs/DEFRA/security/alerts/secret-scanning?query=is%3Aopen+results%3Ageneric) |
| 29 | + |
| 30 | +### Push protection |
| 31 | + |
| 32 | +[Push protection](https://docs.github.com/en/code-security/secret-scanning/introduction/about-push-protection) is enabled across the Defra organisation. GitHub will block a push if it detects a potential secret in the code before it is published to the repository. |
| 33 | + |
| 34 | +Only an **admin** can bypass push protection. If you believe a detection is a false positive, you can submit a bypass request through the GitHub UI by providing a reason. |
| 35 | + |
| 36 | +**You must then post in the [`#github-support`](https://defra-digital.slack.com/archives/C015VCNLKFE) channel on the defra-digital Slack to have your request actioned.** Include: |
| 37 | + |
| 38 | +- a link to the bypass request |
| 39 | +- a brief explanation of why the protection should be bypassed |
| 40 | + |
| 41 | +See the [resolving GitHub security alerts](../processes/github_security_alerts.md) process for full details. |
| 42 | + |
| 43 | +### Custom secret patterns |
| 44 | + |
| 45 | +The Defra organisation has custom secret patterns in addition to GitHub's defaults. Teams can request new custom patterns by posting in [`#github-support`](https://defra-digital.slack.com/archives/C015VCNLKFE) on the defra-digital Slack. |
| 46 | + |
| 47 | +### If a secret has been exposed |
| 48 | + |
| 49 | +If a secret has already been committed and published, follow the [credential exposure process](../processes/credential_exposure.md). The key point is: once exposed, always treat the secret as compromised - rotate it immediately regardless of how quickly the commit was removed. |
| 50 | + |
| 51 | +## Vulnerability alerts |
| 52 | + |
| 53 | +[Dependabot](https://docs.github.com/en/code-security/dependabot) scans your repository's dependencies against the GitHub Advisory Database and raises alerts when a vulnerability is detected. It can also automatically raise pull requests to update affected packages. |
| 54 | + |
| 55 | +Vulnerability alerts appear in the **Security and Quality** tab of your repository and in the [Defra vulnerabilities overview](https://github.com/orgs/DEFRA/security/alerts/dependabot). |
| 56 | + |
| 57 | +Vulnerabilities in dependencies are common across all languages and frameworks. A new vulnerability alert does not mean the code has changed - it means someone has discovered a new way to exploit existing code. The risk is failing to respond to that information. |
| 58 | + |
| 59 | +Teams should: |
| 60 | + |
| 61 | +- regularly review Dependabot alerts in their repositories |
| 62 | +- action alerts promptly - either by patching the dependency or dismissing the alert with a reason |
| 63 | + |
| 64 | +Only an **admin** can dismiss a Dependabot alert. If you need to dismiss one, submit the dismissal through the GitHub UI and then post in [`#github-support`](https://defra-digital.slack.com/archives/C015VCNLKFE) to have it approved. |
| 65 | + |
| 66 | +Include: |
| 67 | +- a link to the dismissal request |
| 68 | +- a brief explanation of why the alert can be dismissed |
| 69 | + |
| 70 | +See the [resolving GitHub security alerts](../processes/github_security_alerts.md) process for full details. |
| 71 | + |
| 72 | +## Code scanning |
| 73 | + |
| 74 | +[Code scanning](https://docs.github.com/en/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning) uses [CodeQL](https://docs.github.com/en/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning-with-codeql) to perform static analysis on your code and surface potential security vulnerabilities. Alerts appear in the **Security and Quality** tab of your repository. |
| 75 | + |
| 76 | +Like Dependabot alerts, code scanning alert dismissals require admin approval - post in [`#github-support`](https://defra-digital.slack.com/archives/C015VCNLKFE) with a link to the dismissal and a brief reason. |
| 77 | + |
| 78 | +## Security overview |
| 79 | + |
| 80 | +The [Defra security overview](https://github.com/orgs/DEFRA/security/overview) provides an org-wide breakdown of potential threats across all repositories. It includes: |
| 81 | + |
| 82 | +- [**Malware**](https://github.com/orgs/DEFRA/security/alerts/malware) - repositories potentially containing known malware |
| 83 | +- [**Vulnerabilities**](https://github.com/orgs/DEFRA/security/alerts/dependabot) - repositories with known dependency vulnerabilities that have not been archived |
| 84 | +- [**Default secrets**](https://github.com/orgs/DEFRA/security/alerts/secret-scanning) - potential secrets matching known provider patterns or custom org patterns |
| 85 | +- [**Generic secrets**](https://github.com/orgs/DEFRA/security/alerts/secret-scanning?query=is%3Aopen+results%3Ageneric) - potential secrets detected by AI analysis |
| 86 | + |
| 87 | +## Monitoring security alerts |
| 88 | + |
| 89 | +Teams are responsible for staying on top of security alerts in their repositories. |
| 90 | + |
| 91 | +### Repository Security tab |
| 92 | + |
| 93 | +The **Security and Quality** tab in every GitHub repository shows all open Dependabot, code scanning, and secret scanning alerts. Review it regularly - alerts appear as soon as they are detected, without needing to trigger a build. |
| 94 | + |
| 95 | +### GitHub notifications |
| 96 | + |
| 97 | +You can configure [GitHub notifications](https://docs.github.com/en/account-and-profile/managing-subscriptions-and-notifications-on-github/setting-up-notifications/configuring-notifications) to receive alerts for security vulnerabilities in repositories you watch. This helps teams respond to new alerts promptly. |
| 98 | + |
| 99 | +### Dismissing or bypassing alerts |
| 100 | + |
| 101 | +Only an **admin** can bypass push protection or dismiss a security alert. In all cases, post in [`#github-support`](https://defra-digital.slack.com/archives/C015VCNLKFE) on the defra-digital Slack with a link to the request and a brief reason. |
| 102 | + |
| 103 | +See the [resolving GitHub security alerts](../processes/github_security_alerts.md) process for full details. |
0 commit comments