Skip to content

GitHub Advanced Security (GHAS)

GHAS is now active and available for all repositories.

We have been collecting your questions on GHAS and tried answering them in the FAQ.

Check out this repository for our examples on advanced GHAS setups.

TL;DR

πŸ—“οΈ GHAS is enabled for all repositories

πŸ—£οΈ Let us know in the #appsec channel if you have any questions

What this means for you?

Unified Platform: Code and code security will now be managed under the same platform, eliminating the need for a separate dashboard.

Container Scanning: Please note that GHAS does not currently offer container scanning solutions, we have explored other alternatives like Trivy so please reach out if you have any questions.

GHAS Features: We encourage you to enable additional GHAS features like code scanning with CodeQL

Info

The information that follows offers guidance to internal Equinor teams and might not apply to the broader public.

Compliance with Governance

To comply with TR2375 you must perform:

  • SCA (Software Composition Analysis) - dependency scanning, handled by Dependency Graph.
  • SAST (Static Application Security Testing) - source code scanning, handled by Code Scanning (CodeQL).

In the Equinor GitHub Organization:

  • Secret Scanning is enabled by default for all repositories
  • Dependency Scanning is enabled by default for most repositories
  • Code Scanning must be set up manually by a repository Admin

What do you need to do?

  1. Check dependency scanning (SCA) In your repository go to Security -> Dependency Scanning and make sure it's active (alerts created)

  2. Enable CodeQL (SAST) CodeQL is not enabled by default. A repository Admin must:

    • Navigate to Settings β†’ Advanced Security β†’ CodeQL analysis β†’ Set up β†’ Default
    • If the default setup fails, you will see a message under Security β†’ Code Scanning. In that case, use an advanced setup. Examples of this are available in the appsec-ghas-examples repository.

    Code analysis tools not working

Warning

If you ignore your Dependabot alerts for too long, Dependabot will stop working. In this case, you will see the following warning under Security β†’ Dependabot.

Dependabot updates are paused

Exception from Automatic Dependency Submission

Sometimes workflows fail due to automatic dependency submission when Dependabot fails in fetching packages from a private registry:

  • First, try following this guide
  • If that doesn't solve it, request an exception using this form.