GitHub Advanced Security in Action: Empower Developers to Secure Code

Description

GitHub Advanced Security allows you to shift-left through a “developer-first” approach to Application Security, recognizing that developers have a critical role to play in securing your applications. This training will enable developers in your organization to both understand and effectively use the features of Advanced Security.

Objectives

• Describe the core principles and benefits of GitHub Advanced Security (GHAS).
• Identify and explain all key features of GHAS.
• Configure and enable GHAS features across GitHub repositories.
• Integrate GHAS into existing CI/CD pipelines with minimal developer friction.
• Apply dependency security automation using Dependabot and Dependency Review.
• Detect and respond to exposed secrets with GitHub Secret Scanning.
• Perform and interpret results from code scanning using CodeQL.
• Collaborate across development and security teams using GHAS insights.
• Promote a security-aware culture among developers.

Duration

7 hours of intensive training over one to two days with live instruction including demonstrations, comprehensive labs, and code samples.

Introduction to GitHub Advanced Security (GHAS)

• What is GHAS? Core features and philosophy
• What is Application Security (AppSec)?
• State of AppSec in the industry
• What does it mean to shift security left?
• Benefits of shifting security left in the development lifecycle
• The value of “developer-first” security
• SAST, DAST, SCA, and other security acronyms
• Supply Chain, Code, and Platform

Configure GHAS in Your Workflow

• Activating GHAS features in repositories
• Managing permissions and access controls
• Define a Security Policy
• CI/CD pipelines and GHAS
• Integrate GHAS with GitHub Actions (optional)
• Integrate GHAS with Azure DevOps (optional)

Secret Scanning and Credential Protection

• How secret scanning works
• Identifying exposed secrets in code
• Creating and managing custom secret patterns
• Remediation strategies and alerts handling

Code Scanning with CodeQL

• What is CodeQL and how it works
• Setting up CodeQL analysis in repositories
• Interpreting CodeQL results and findings
• Writing and running custom CodeQL queries
• Advanced Configuration
• Manual vs. automatic code scanning
• CodeQL CLI
• CodeQL Custom Queries
• Integrate with Third-Party Tools (optional)
• Integrate with Codacy (optional)

Dependency Scanning with Dependabot

• Understanding Dependency Graph and Dependency Review
• Automating updates with Dependabot
• Triage and remediation workflows
• Managing third-party packages securely

Prerequisite

• Ability to read computer program code.
• Command line experience with a terminal or command prompt.
• Experience with a modern editor (ex. Visual Studio Code) or IDE (ex. Visual Studio or a JetBrains IDE).
• Experience using cloud-based services such as Azure, AWS, or Google Cloud Platform.
• This course focuses on using GitHub Advanced Security. Students write minimal code and all necessary programming code is provided.

Training Materials

All students receive comprehensive courseware covering all topics in the course. Courseware is distributed via GitHub in the form of documentation and extensive code samples. Students practice the topics covered through challenging hands-on lab exercises.

Students will need a free, personal GitHub account to access the courseware. Student will need permission to install the selected language platform (Node.js, .NET SDK, or Python) and Visual Studio Code on their computers. Also, students will need permission to install packages for the selected coding platform as well as Visual Studio Extensions.