DX business menu
DX business
HOME
Solution
Handling Manufacturer
event·
seminar
Document·
Case studies and columns
Inquiry

Github

github

Security with GitHub

Security with GitHub

Challenges in source code security

Application security

  • Unable to identify dependencies and vulnerabilities of the OSS used by the company, and unable to identify the scope of impact
  • According to internal rules, secret information should not be mixed into the source code, but it is not thoroughly enforced.
  • I used a static analysis tool in the past, but I gave up on using it because a huge number of alerts were generated and the operation did not go well.

Security for users

  • Since developers can edit the public settings of the repository themselves, there is a risk that confidential information such as corporate assets will be leaked.
  • There is a risk of ID/password being stolen, personal access tokens or SSH keys being leaked, and unauthorized login being performed.
  • An employee left the company, but was still accessible after leaving the company

Secure with GitHub Enterprise

Application Security

supply chain
supply chain
of open source components
Stay safe and compliant
code
code
as part of the workflow
Detect and fix code vulnerabilities
Development lifecycle
Development lifecycle
security and compliance
Create and execute policies as code

Developer Security

supply chain
data
by permission settings
Prevention of confidential information leaks
code
Network
By checking the connection source
secure access
Development lifecycle
A user
Level of trust with multi-factor authentication and authorization
Access control according to

Current security features provided by GitHub

supply chain
supply chain
  • Dependency graph
    View and understand dependencies
  • Advisory database
    A database that records package vulnerabilities
  • Dependabot alerts
  • Dependabot security updates
    Dependent Package Vulnerability Notifications and Pull Request Creation for Automatic Fixes
  • Dependency review *
    See new dependencies and vulnerabilities in pull requests
code
code
  • Secret scanning *
    Detect API tokens and other secrets hidden in Git history
  • Code scanning *
    Static analysis for every git push operation, integrated into workflow with CodeQL analysis
Development lifecycle
Development lifecycle
  • Branch protection
    Define conditions when branches and pull requests are merged
  • Commit signing
    Provided all commits are signed
  • Security Center
    (Security Overview)
    Visualize the risk situation within your organization

*Provided in GitHub Enterprise's paid option "GitHub Advanced Security"

Click here for a quote
Contact Us

Code security - secret detection -

Code security - secret detection -
  • Automatically detect whether authentication tokens and private key information (secrets) for communicating with external services are mixed in with code pushed to GitHub
    Supported secret information is here
  • Scan all git history after enabling the feature
  • Push protection function prevents source code containing secret information from being pushed
  GHEC GHES
Secret Scanning

* Provided as a paid option "GitHub Advanced Security" of GitHub Enterprise

Code security - secret detection -

Code Security - Code Vulnerability Detection -

Code Security - Code Vulnerability Detection -
  • It is possible to automatically analyze the code under development and check whether the code of the pattern that causes the vulnerability is written (CodeQL)
  • Scan items can be GitHub querysets (over 2,000 patterns supported) or custom queries developed by the community on GitHub
  • Extensible with other static analysis tools
    * Currently, it can be linked with ShiftLeft, Anchore, etc.
  • Supported language/environment
    https://codeql.github.com/docs/codeql-overview/supported-languages-and-frameworks/
  GHEC GHES
Code scanning

* Provided as a paid option "GitHub Advanced Security" of GitHub Enterprise

Code Security - Code Vulnerability Detection -
Code Security - Code Vulnerability Detection -

Effects of Code Scanning

Effects of Code Scanning
  • Find vulnerabilities early in development
    Reduce remediation costs by preventing known vulnerabilities during the development phase
  • Accurate analysis
    CodeQL interprets the call graph of the code and the meaning of the code and performs analysis, so it achieves very high accuracy (= few false positives). It also reduces the time spent reviewing analysis results.
  • prioritized alerts
    Analysis results are prioritized in 3 stages, so you can deal with the most important ones first
  • Leverage community
    Leverage queries created by GitHub, other companies and the open source community
Click here for a quote
Contact Us

Inquiry/Document request

Macnica GitHub

inquiry Document request

Mon-Fri 8:45-17:30