Code Scanning in GitHub

Using GitHub Code Scanning to find vulnerabilities in your code

Teri Radichel
Cloud Security

--

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

⚙️ Part of my series on Automating Cybersecurity Metrics. The Code.

🔒 Related Stories: GitHub Security | Application Security | Secure Code

💻 Free Content on Jobs in Cybersecurity | ✉️ Sign up for the Email List

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

I got a call at IANS Research about GitHub security so I was reviewing some of the latest information on the topic and decided to set up GitHub Code Scanning. It’s a pretty cool feature that can help you find problems in your code. Whether or not this code scanning tool works for you depends on a few factors so you’ll have to test it out, but here’s how it works. It just takes a few steps to set it up.

Head over to your repo and click on settings.

Scroll down and click on Code security and analysis.

Under settings click on Code scanning. Click Set up.

I chose the Default option. If you want to explore the Advanced option you can write additional queries to find specific vulnerabilities you are seeking.

I set this up on the repository that contains the code I’m writing for my latest blog series on security metrics automation (and cloud governance):

It takes a little while for the analysis to complete. After it does, head back to your GitHub repo and if any findings exist there will be a number next to the security link at the top of the repository. I had one. What?!

When I took a look at the finding, it was because I had printed out a password of a piece of test code — which I explicitly told you not to do in production code ever because the password should remain secret and not be exposed on the screen or in logs. Well, that’s an accurate finding!

In addition to what GitHub has to offer, you can integrate code scanning from Other tools. Click on the Explore workflows link.

Here you can choose and test out a number of different tools, such as DevSkim which I’ve used before and is free.

This is a pretty nice feature from GitHub and it’s very easy to set up.

GitHub Code Scanning uses GitHub actions so you’ll want to check the cost of that if you have a lot of repositories to scan.

Enjoy and Secure Your Code!

More on application security here:

Follow for updates.

Teri Radichel | © 2nd Sight Lab 2023

About Teri Radichel:
~~~~~~~~~~~~~~~~~~~~
⭐️ Author
: Cybersecurity Books
⭐️ Presentations
: Presentations by Teri Radichel
⭐️ Recognition: SANS Award, AWS Security Hero, IANS Faculty
⭐️ Certifications: SANS ~ GSE 240
⭐️ Education: BA Business, Master of Software Engineering, Master of Infosec
⭐️ Company: Penetration Tests, Assessments, Phone Consulting ~ 2nd Sight Lab
Need Help With Cybersecurity, Cloud, or Application Security?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
🔒 Request a
penetration test or security assessment
🔒 Schedule a
consulting call
🔒
Cybersecurity Speaker for Presentation
Follow for more stories like this:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

❤️ Sign Up my Medium Email List
❤️ Twitter:
@teriradichel
❤️ LinkedIn:
https://www.linkedin.com/in/teriradichel
❤️ Mastodon:
@teriradichel@infosec.exchange
❤️ Facebook:
2nd Sight Lab
❤️ YouTube:
@2ndsightlab

--

--

Teri Radichel
Cloud Security

CEO 2nd Sight Lab | Penetration Testing & Assessments | AWS Hero | Masters of Infosec & Software Engineering | GSE 240 etc | IANS | SANS Difference Makers Award