Overview This hands-on, instructor-led course, GH-500T00: GitHub Advanced Security, offers an in-depth exploration of GitHub's security features, including secret scanning, code scanning with CodeQL, and dependency management.
Description
Overview
This hands-on, instructor-led course, GH-500T00: GitHub Advanced Security, offers an in-depth exploration of GitHub's security features, including secret scanning, code scanning with CodeQL, and dependency management. Participants will learn to configure and utilize these tools to enhance their software development security posture. The GH-500 course also covers administrative aspects, such as setting security policies and managing sensitive data within GitHub.
Course Objectives
• Understand and configure GitHub Advanced Security features.
• Implement Dependabot for automated dependency updates.
• Set up and manage secret scanning to protect sensitive information.
• Configure code scanning using CodeQL for vulnerability detection.
• Analyze and interpret CodeQL scan results.
Who Should Attend GitHub Advanced Security Course
• DevOps Engineer
COURSE OUTLINE
Introduction to GitHub Advanced Security
Define GHAS and the importance of the integral features such as Secret scanning, Code scanning, and Dependabot
Know how to utilize GHAS to maximize security impact
Understand GHAS and its role in the security ecosystem
Configure Dependabot security updates on your GitHub repo
Describe the available tools for managing vulnerable dependencies on GitHub.
Enable and configure Dependabot alerts.
Identify the permissions and roles required to view and enable Dependabot alerts.
Enable and configure Dependabot security updates.
Identify, review, and address vulnerable dependencies.
Explain how to use GraphQL API to retrieve vulnerability information.
Explain how to configure notifications for vulnerable dependencies.
Lab: Configure Dependabot security updates
Configure and use secret scanning in your GitHub repository
Describe secret scanning.
Configure secret scanning.
Use secret scanning.
Configure code scanning on GitHub
Describe code scanning.
List the steps for enabling code scanning in a repository.
List the steps for enabling code scanning with third-party analysis.
Contrast how to implement CodeQL analysis in a GitHub Actions workflow versus a third-party continuous integration (CI) tool.
Explain how to configure code scanning on a repository using triggering events.
Contrast the frequency of code scanning workflows (scheduled vs triggered by events).
Identify security vulnerabilities in your codebase by using CodeQL
Create a database by using CodeQL to extract a single relational representation of each source file in the codebase.
Run CodeQL in a database to find problems in your source code and find potential security vulnerabilities.
Understand CodeQL scan results by using GitHub-created queries or your own custom queries.
Code scanning with GitHub CodeQL
Understand CodeQL and how it analyzes code.
Understand QL, a unique logic programming language.
Set up CodeQL based code scanning in a GitHub repository.
Reference a custom CodeQL query.
Configure the language matrix in a CodeQL workflow.
Learn how to use the CodeQL CLI to generate code scanning results and upload them to GitHub.
Implement custom build steps.
Lab: Reference a CodeQL query
Lab: Configure a CodeQL language matrix
GitHub administration for GitHub Advanced Security
Understand what GitHub Advanced Security is and how to use it in the software development lifecycle.
Identify which GitHub Advanced Security features are available for open-source projects and which are available on enterprise products.
Enable the different features of GitHub Advanced Security on different enterprise products.
Determine who should get access to GitHub Advanced Security features in an organization and grant the correct permissions.
Set security policies at the organization and repository levels.
Understand how to respond to a security alert.
Use the Security Overview to monitor security alerts.
Use the GitHub Advanced Security API endpoints to manage the GitHub Advanced Security features and alerts.
Manage sensitive data and security policies within GitHub
Create documentation that details security guidelines and useful information for collaborators.
Set permissions and other rules.
Automate processes that prevent security breaches.
Respond to security breaches.
