Skip to content

Commit b356f18

Browse files
Add GitHub Advanced Security guide (#134)
1 parent a0cb4f4 commit b356f18

6 files changed

Lines changed: 116 additions & 6 deletions

File tree

docs/README.md

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -81,6 +81,7 @@ These guides provide additional support for meeting and working with the standar
8181
- [Choosing packages](./guides/choosing_packages.md)
8282
- [Developer workflows](./guides/developer_workflows.md)
8383
- [Docker guidance](./guides/docker_guidance.md)
84+
- [GitHub Advanced Security](./guides/github_advanced_security.md)
8485
- [Java auto-format with Eclipse](./guides/java_auto_format_eclipse.md)
8586
- [Kubernetes](./guides/kubernetes.md)
8687
- [Managing Application Credentials](./guides/application_credentials.md)

docs/guides/README.md

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -32,6 +32,8 @@ Security issues can arise when one code component incorrectly assumes another ha
3232

3333
Keep secrets such as passwords and private keys logically isolated from the core code base. This will help prevent them being checked in to public code repositories. Hard coding credentials in source code is bad practice.
3434

35+
See the [GitHub Advanced Security guide](github_advanced_security.md) for how Defra uses secret scanning and push protection to detect and prevent secret exposure.
36+
3537
### Do small and regular code commits
3638

3739
Performing effective review becomes more difficult when large changes are made with each commit. Small and clearly labelled commits simplify the review and roll back process.
Lines changed: 103 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,103 @@
1+
# GitHub Advanced Security
2+
3+
[GitHub Advanced Security (GHAS)](https://docs.github.com/en/get-started/learning-about-github/about-github-advanced-security) is GitHub's suite of built-in security features. It is enabled on every repository in the Defra GitHub organisation.
4+
5+
GHAS includes:
6+
7+
- **Secret scanning** - detects secrets such as API keys and tokens committed to code
8+
- **Push protection** - proactively blocks pushes that contain detected secrets
9+
- **Dependabot** - identifies vulnerable or outdated dependencies and can automatically raise pull requests to address them
10+
- **Code scanning** - performs static analysis to surface potential security vulnerabilities in code
11+
12+
Teams should maximise use of these built-in features. See the [security standards](../standards/security_standards.md) for configuration expectations.
13+
14+
## Secret scanning
15+
16+
GitHub scans all commits for secrets such as passwords, API keys, and tokens. Alerts appear under the **Security and Quality** tab in your repository and are also visible in the [Defra security overview](https://github.com/orgs/DEFRA/security/overview).
17+
18+
There are two types of alert:
19+
20+
- **Default alerts** - match GitHub's known secret patterns, plus any custom patterns added for the Defra organisation. These are higher confidence.
21+
- **Generic alerts** - detected by GitHub's AI analysis and do not follow a known provider pattern. These have a higher rate of false positives.
22+
23+
Alerts indicate _potential_ secret exposure that needs investigation, not confirmed exposure. Archived repositories are included in secret scanning results - even though the code is no longer maintained, the secret value may still be active.
24+
25+
View all secret scanning alerts for the Defra org:
26+
27+
- [Default secret alerts](https://github.com/orgs/DEFRA/security/alerts/secret-scanning)
28+
- [Generic secret alerts](https://github.com/orgs/DEFRA/security/alerts/secret-scanning?query=is%3Aopen+results%3Ageneric)
29+
30+
### Push protection
31+
32+
[Push protection](https://docs.github.com/en/code-security/secret-scanning/introduction/about-push-protection) is enabled across the Defra organisation. GitHub will block a push if it detects a potential secret in the code before it is published to the repository.
33+
34+
Only an **admin** can bypass push protection. If you believe a detection is a false positive, you can submit a bypass request through the GitHub UI by providing a reason.
35+
36+
**You must then post in the [`#github-support`](https://defra-digital.slack.com/archives/C015VCNLKFE) channel on the defra-digital Slack to have your request actioned.** Include:
37+
38+
- a link to the bypass request
39+
- a brief explanation of why the protection should be bypassed
40+
41+
See the [resolving GitHub security alerts](../processes/github_security_alerts.md) process for full details.
42+
43+
### Custom secret patterns
44+
45+
The Defra organisation has custom secret patterns in addition to GitHub's defaults. Teams can request new custom patterns by posting in [`#github-support`](https://defra-digital.slack.com/archives/C015VCNLKFE) on the defra-digital Slack.
46+
47+
### If a secret has been exposed
48+
49+
If a secret has already been committed and published, follow the [credential exposure process](../processes/credential_exposure.md). The key point is: once exposed, always treat the secret as compromised - rotate it immediately regardless of how quickly the commit was removed.
50+
51+
## Vulnerability alerts
52+
53+
[Dependabot](https://docs.github.com/en/code-security/dependabot) scans your repository's dependencies against the GitHub Advisory Database and raises alerts when a vulnerability is detected. It can also automatically raise pull requests to update affected packages.
54+
55+
Vulnerability alerts appear in the **Security and Quality** tab of your repository and in the [Defra vulnerabilities overview](https://github.com/orgs/DEFRA/security/alerts/dependabot).
56+
57+
Vulnerabilities in dependencies are common across all languages and frameworks. A new vulnerability alert does not mean the code has changed - it means someone has discovered a new way to exploit existing code. The risk is failing to respond to that information.
58+
59+
Teams should:
60+
61+
- regularly review Dependabot alerts in their repositories
62+
- action alerts promptly - either by patching the dependency or dismissing the alert with a reason
63+
64+
Only an **admin** can dismiss a Dependabot alert. If you need to dismiss one, submit the dismissal through the GitHub UI and then post in [`#github-support`](https://defra-digital.slack.com/archives/C015VCNLKFE) to have it approved.
65+
66+
Include:
67+
- a link to the dismissal request
68+
- a brief explanation of why the alert can be dismissed
69+
70+
See the [resolving GitHub security alerts](../processes/github_security_alerts.md) process for full details.
71+
72+
## Code scanning
73+
74+
[Code scanning](https://docs.github.com/en/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning) uses [CodeQL](https://docs.github.com/en/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning-with-codeql) to perform static analysis on your code and surface potential security vulnerabilities. Alerts appear in the **Security and Quality** tab of your repository.
75+
76+
Like Dependabot alerts, code scanning alert dismissals require admin approval - post in [`#github-support`](https://defra-digital.slack.com/archives/C015VCNLKFE) with a link to the dismissal and a brief reason.
77+
78+
## Security overview
79+
80+
The [Defra security overview](https://github.com/orgs/DEFRA/security/overview) provides an org-wide breakdown of potential threats across all repositories. It includes:
81+
82+
- [**Malware**](https://github.com/orgs/DEFRA/security/alerts/malware) - repositories potentially containing known malware
83+
- [**Vulnerabilities**](https://github.com/orgs/DEFRA/security/alerts/dependabot) - repositories with known dependency vulnerabilities that have not been archived
84+
- [**Default secrets**](https://github.com/orgs/DEFRA/security/alerts/secret-scanning) - potential secrets matching known provider patterns or custom org patterns
85+
- [**Generic secrets**](https://github.com/orgs/DEFRA/security/alerts/secret-scanning?query=is%3Aopen+results%3Ageneric) - potential secrets detected by AI analysis
86+
87+
## Monitoring security alerts
88+
89+
Teams are responsible for staying on top of security alerts in their repositories.
90+
91+
### Repository Security tab
92+
93+
The **Security and Quality** tab in every GitHub repository shows all open Dependabot, code scanning, and secret scanning alerts. Review it regularly - alerts appear as soon as they are detected, without needing to trigger a build.
94+
95+
### GitHub notifications
96+
97+
You can configure [GitHub notifications](https://docs.github.com/en/account-and-profile/managing-subscriptions-and-notifications-on-github/setting-up-notifications/configuring-notifications) to receive alerts for security vulnerabilities in repositories you watch. This helps teams respond to new alerts promptly.
98+
99+
### Dismissing or bypassing alerts
100+
101+
Only an **admin** can bypass push protection or dismiss a security alert. In all cases, post in [`#github-support`](https://defra-digital.slack.com/archives/C015VCNLKFE) on the defra-digital Slack with a link to the request and a brief reason.
102+
103+
See the [resolving GitHub security alerts](../processes/github_security_alerts.md) process for full details.

docs/processes/credential_exposure.md

Lines changed: 6 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -12,20 +12,22 @@ This process will take you through what to do if that happens. The key point is
1212
1313
No matter the speed with which you rectify the situation, or how little you think the chance is for people to see it. Treat it as compromised.
1414

15+
Deleting the repository or making it private are not solutions. The secret may have been cached by GitHub, or forked by someone else. You need to treat it as compromised and rotate it.
16+
1517
## Contact operations
1618

1719
The first step is to make contact with the team responsible for your production environment.
1820

19-
For example if your service is hosted in AWS, you should call someone from the AWS web-ops team ([David Blackburn](https://github.com/davidblackburn) or [Tom Tant](https://github.com/TTEA1990)).
20-
21-
We cannot post contact numbers here. But they are available using our internal systems.
21+
For example if your service is hosted in AWS or Azure, you should raise an incident with the Cloud Centre of Excellence (CCoE).
2222

2323
Follow this up with an email that contains a link to the commit, and explains what was exposed.
2424

2525
## Fix your git
2626

2727
Next is fix your git tree. This involves removing the offending commit from your git history.
2828

29+
> In some cases rewriting history would add disproportionate complexity to the project. Particularly if the commit was some time ago. In these cases it may be better to leave the commit in place if you can rotate the secret.
30+
2931
### On a branch
3032

3133
If the commit was on a branch the fix involves amending or removing the commit. You can use git commands such as `git commit --amend` or `git rebase -i` to amend the current branches history.
@@ -44,7 +46,7 @@ To quote GitHub's guide
4446

4547
> [..] *it's important to note that those commits may still be accessible in any clones or forks of your repository, directly via their SHA-1 hashes in cached views on GitHub, and through any pull requests that reference them.*
4648
47-
If someone manages to fork or update their fork before you push your fix there is little you can do. Try to reach out to them to explain the situtation, and ask them to update their fork.
49+
If someone manages to fork or update their fork before you push your fix there is little you can do. Try to reach out to them to explain the situation, and ask them to update their fork.
4850

4951
### GitHub
5052

docs/standards/continuous_integration.md

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -83,6 +83,8 @@ This includes vulnerabilities in GitHub actions themselves.
8383
8484
Teams must resolve any open security alerts in their repositories.
8585
86+
See the [GitHub Advanced Security guide](../guides/github_advanced_security.md) for more detail on alert types, push protection, and how to request approval to dismiss alerts.
87+
8688
### Maintainability and test coverage
8789
8890
Defra has a [SonarQube Cloud](https://www.sonarsource.com/products/sonarcloud/) organisation, which must be used to perform static quality analysis checks on your code.

docs/standards/security_standards.md

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -12,7 +12,7 @@ Use the [OWASP Secure coding practices - quick reference guide](https://www.owas
1212

1313
## GitHub Advanced Security
1414

15-
Defra has GitHub Advanced Security enabled across its organisation. Teams should maximise use of these built-in features rather than relying on third-party tools.
15+
Defra has GitHub Advanced Security enabled across its organisation. Teams should maximise use of these built-in features rather than relying on third-party tools. See the [GitHub Advanced Security guide](../guides/github_advanced_security.md) for a full explanation of the features and how to use them.
1616

1717
### Dependency graph
1818

@@ -40,7 +40,7 @@ This means you do not need to wait for a build to run to discover a vulnerabilit
4040

4141
### Snyk
4242

43-
Snyk has been assessed alongside GitHub Advanced Security. As GitHub Advanced Security provides largely equivalent capability and is already available to all Defra teams, teams should look to maximise usage of GitHub Advanced Security rather than relying on Snyk.
43+
Snyk has been assessed alongside [GitHub Advanced Security](../guides/github_advanced_security.md). As GitHub Advanced Security provides largely equivalent capability and is already available to all Defra teams, teams should look to maximise usage of GitHub Advanced Security rather than relying on Snyk.
4444

4545
### Significant changes
4646

0 commit comments

Comments
 (0)