Want to find potential security vulnerabilities from your code base? Or want to see an impact of code changes to dependencies before you merge a pull request? If you answered yes then keep reading.
GitHub offers security features, like code scanning for private repositories under GitHub Advanced Security license. This option is only available for GitHub Enterprise users. You can test these features in public repositories (because they are free for all public repositories), but for private repos you need the license.
Advanced Security has three different “products”, that are available when the license is obtained. Feature pricing is a bit hazy, because it is not available on GitHub pricing page. In this Reddit post the price is estimated to be around 600€, but I think that the size of the organization defines the price. Bigger organizations tends to have more repos, more users and more usage, which leads into bigger price tag. This is just my estimate, so don’t take it as a truth.
Feature | Private repository | Public repository |
Code scanning | Behind Advanced Security License | Included |
Secret scanning | Behind Advanced Security License | Included |
Dependency review | Behind Advanced Security License | Included |
What Advanced Security brings into table?
Advanced Security is a set of tools, that you can use to harden your DevOps practices. It operates on three different level: DevOps, code and environments. For example, 2021 the world was shocked about the Log4j vulnerability. The vulnerability affected many companies who were using certain versions of log4j package and it turned out to be a quite bunch of them. Tools like code scanning and dependency review can be used to tackle problems like that. Advanced Security detects vulnerable packages from codebase and raises alert about them. You could also have the vulnerable package as third-party reference, so it is hard to go through all the packages and their dependencies manually. Advanced Security uses Advisory Database to keep track of vulnerable packages and their dependencies, so the detections are based on that. There is no magic security scanning happening against the package codes behind the scenes.
Code Scanning is a static analysis of GIT commits. It scans the codebase and raises an alert if code contains misconfiguration, errors or vulnerabilities. Of course the “error” detection is based on rules that are coded by the GitHub developers and they won’t cover the logical bugs that are the most common ones in codebase. Still all the bugs that are automatically detected are nice addition.
Third and last tool is secret scanning and push protection, which tries to detect connection strings, password etc. even before they are pushed into repository. The tool can be set to also run on schedule (for example daily). Secret scanning is a good tool to have, if you for example use secret management tool like Azure Key Vault. This prevents the accidental addition of passwords and connection strings, which should belong into Key Vault.
Setting up
You can enable the Advanced Security feature by requesting trial from GitHub. Go into organization account > Billing and plans, click Start your free trial, fill some basic details and you will be contacted by the GitHub Sales which gives you more details about the product. I find this model a bit too clumsy and would like to get like 30 days free trial directly from that button, but it is what it is.
For public repos you can enable the code scanning from security tab. The dependency graph can be enabled from Insights tab, so the links are little scattered.