GHAS Certification Exam Prep: Part Two - Scanning

[queenofcorgis]

This discussion and some of its comments have been edited and modified from its original format to enable evergreen learning

In Part One, we got started and prepped to cover the basics of the GHAS certification exam. In this Discussion we’re going to focus on all things scanning. One of secret scanning’s Product Managers @courtneycl joined us to answer questions.

Plus, prep materials and test questions to continue on studying.

Step One: Prep 📚

Use these materials to study before answering this week’s prep questions.

• Microsoft Learn Modules
  • Configure and use secret scanning in your GitHub repository
  • Configure code scanning on GitHub
• Study guides from @NickLiffen
  • Reviewing GitHub Advanced Security scan results
  • Customizing the scope of secret scanning
  • Bonus: Extend your testing with third-party tools with GitHub code scanning
• Study guides from @LadyKerr
  • Configure and use secret scanning
  • Configure and use code scanning
• Videos
  • GitHub Advanced Security - Pass the Exam from freeCodeCamp
    • Secret Scanning
    • Code Scanning
• Community member materials
  • @Salgado2004's breakdown of this topic in their comment

Step Two: Test Your Knowledge ⚡

Question 1: What do you need to do if you want to change the settings for secret scanning on a public repository?

A) Enable secret scanning on the repository.
B) Switch the repository to a private one with GitHub Advanced Security.
C) Get admin permissions on the repository.

Question 2: Where can you configure the recipients of secret scanning alerts?

A) In the Code security and analysis settings of a repository
B) In the Manage Access settings of a repository
C) In the Watch settings of a repository

Question 3: How many custom patterns can you create for an organization?

A) 100
B) 5000
C) 500
D) 1000

Question 4: Which tool is primarily used for code scanning in GitHub Actions?

A) ESLint
B) CodeQL
C) JSHint
D) Prettier

Question 5: How can third-party analysis tools be integrated with GitHub code scanning?

A) By installing browser extensions
B) By using GitHub Marketplace actions
C) By modifying the .gitignore file
D) By creating a new GitHub repository

View the answers in my comment 🧠

Use the discussion below to share additional study resources and respond to our prep questions

[jccampanero]

I am very sorry for not being able to participate in the first week of the course at the designated time.

I believe these are the answers for this week's questions:

1. B (secret scanning is enabled by default on public repositories and can't be configured or turned off)
2. A (only customizable in private repositories)
3. C
4. B
5. B

Thank you very much for this excellent initiative!

[queenofcorgis]

@jccampanero you're welcome to participate in last week's at any time - just don't look at my comment with the answers 😄

[jccampanero]

Thank you very much @queenofcorgis Lili, I posted my answers: as I said, I promise that I didn't see yours...

[queenofcorgis]

I believe you - I'm so glad you went back!

[jccampanero]

Thank you very much Lili!

[geopd]

1. A
2. A
3. C
4. B
5. B

[profile-palash]

I think the answers are :

Question	Answer	Details
1: What do you need to do if you want to change the settings for secret scanning on a public repository?	C) Get admin permissions on the repository	To have the ability to change secret scanning settings, you must be an administrator of the repository. Only administrators have the necessary permissions to modify these configurations.
2: What do you need to do if you want to change the settings for secret scanning on a public repository?	A) In the Code security and analysis settings of a repository	To modify secret scanning settings for a public repository, navigate to the repository's settings, then select "Code security and analysis." From there, you can adjust various options, including enabling/disabling secret scanning, configuring push protection, and managing custom patterns.
3: How many custom patterns can you create for an organization?	C) 500	Organizations can create a maximum of 500 custom patterns for secret scanning. These patterns allow you to define specific sequences of characters that should be flagged as potential secrets.
4: Which tool is primarily used for code scanning in GitHub Actions?	B) CodeQL	CodeQL is the primary tool used for code scanning in GitHub Actions. It's a static analysis engine that can identify potential security vulnerabilities and errors in code.
5: How can third-party analysis tools be integrated with GitHub code scanning?	B) By using GitHub Marketplace actions	Third-party analysis tools can be integrated with GitHub code scanning by using GitHub Marketplace actions. These actions provide pre-built workflows and integrations that can be easily added to your GitHub Actions pipelines, allowing you to leverage the capabilities of various security tools.

[queenofcorgis]

@profile-palash I've been missing your great answers in this week's Discussion on the CodeQL Section, I hope you'll be able to join us!

[profile-palash]

Hi @queenofcorgis, Thanks for keeping me in the loop 😊

[RishavKumarSinha]

I see, a bit tricky questions this time. Well I think the correct answers are,

1. C
2. A
3. C
4. B
5. B

I might have to refer to those resources to be 100% sure, but I am confident.

[Salgado2004]

Hello everyone!
Thank you for one more lesson 🚀😁 Secret and Code scanning are very important to keep code quality and ensure the security in your repo. I've never used them before, but after this lesson I'm looking forward to implement it in my college projects 😅.

Here's my breakdown for this week's topics (Feel free to add more stuff in the comments or correct me):

Domain 2: Configure and use secret scanning

Enable and use secret scanning

• Describe secret scanning:
  Secret Scanning is a GitHub feature that looks into your repository for potencial leaked secrets, like API keys or auth Tokens, based on known patterns and send alerts when they are found. It prevents accidentally commiting secrets.
• Choose when secret scanning occurs:
  With secret scanning you can enable Push Protection, to check pushes for supported secrets. It prompts directly in the developer's IDE or CLI when a secret is detected in code.
• Contrast secret scanning availability for public and private repositories:
  It's available and enabled by default in public repositories. It requires GitHub Advanced Security License in private repositories. When you enable secret scanning for private repositories, since you have GHAS license, you also have some configurable options like excluding files from being scanned or configurable notification recievers.
• Enable secret scanning for private repositories:
  Your need to go to the Settings tab > Code security and analysis of your repository, and first enable GitHub Advanced Security (Take care, cause it's Not free). Then you can enable secret scanning and push protection.
• Enable secret scanning for an organization:
  It's not so different. Your need to go to the Settings tab > Code security and analysis of your organization, and enable GHAS. Then you select "enable all" and "enable for eligible repositories" for secret scanning, and it will enable for all repositories (eligible) of your organization (very useful). You can do the same for push protection. You can also mark a checkbox to automatically enable for new public repositories and repositories with GHAS.
• Explain how to pick an appropriate response to a secret scanning alert:
  GitHub advises that: Once a secret has been commited into a repository, you should consider it compromised, and follow some steps depending on the kind of secret to remediate. After you're aware of the situation, there is a drop-down to select the closing reason.

Warning

Remember, you should not ignore alerts. Whenever option you choose as the closing reason, it is recorded for security logs.

• Determine if an alert is generated for a given secret, pattern, or service provider:
  In the Security tab, when you look the results of the secret scanning, you can see some attributes and filter alerts by:
  - Bypassed
  - Validity
  - Secret type
  - Provider
  It is very useful to determine what is the secret, if it's still active, and more.
• Determine if a given user role will see secret scanning alerts:
  Security managers, repository admins, and organization/enterprise owners will have access by default. Custom roles with read/write access can also be given access to scanning alerts.

Note

I'm a little confused in this part. Cause I've read that the one person that commited the secret will receive a notification regardless of the notification preference. Does it mean they have access to the alert in the security tab also? Or are they just notified they messed up?

Customize default secret scanning behavior

• Configure the recipients of a secret scanning alert (also includes how to provide access to members and teams other than admins):
  In Settings tab > Code security and analysis your can go to access to alerts and add members from your repository to the recipients list. Also, security managers, repository admins, users with custom roles and organization/enterprise owners will have access.
• Describe how to exclude certain files from being scanned for secrets:
  If, for some reason, you want to have files with known secrets in your repository (like an example documentation or something like that) and don't want to receive alerts form secret scan, you can exclude them using the .github/secret_scanning.yml file. You can add all the files you want to ignore in the paths-ignore attribute using glob pattern, like this:

paths-ignore:
    - "docs/*.md" 

Warning

• You can only have 1000 entries in this file. More than 1000 will be ignored.

• Explain how to enable custom secret scanning for a repository:
  Secret scanning looks for known patterns (available in GitHub's documentation), but you can add your custom patterns if you have GHAS license. For a repository, you can have up to 100 custom patterns. In Settings tab > Code security and analysis, you go to Secret scanning > custom patterns and create a new pattern. It will require the name, the RegEx for the pattern, and one test string to check if it is working. You can also select save and dry run to see sample results, positive and negative (that's very cool).
• Explain how to enable custom secret scanning for an organization:
  For organizations, the proccess is very similar. But you can have up to 500 custom patterns. Also, in the dry-run, you can specify which repositories you want to perform the dry-run.

Domain 4: Configure and use code scanning

Describe and enable code scanning

• Describe code scanning:
  I understand code scanning as a SAST¹ tool (like fortify or sonarQube). It's a GHAS feature that uses CodeQL to analyse the code to find vulnerabilities. It generates alerts in the Security tab
• List the steps for enabling code scanning in a repository using GitHub Actions:
  Go to Settings tab > Code security and analysis, scroll down to code scanning section. In the set up drop-down you can select "default" or "advanced". If you choose default, you'll be prompted some basic configurations and GitHub will do the rest for you. If you choose advanced, GitHub will automatically create the workflow file codeql.yml that you can customize as you want. After you finish the setup, you can enable code scanning and it will (probably, I'm not sure) run the first scan for the repository.
• Enable code scanning for use with a CodeQL analysis workflow:
  If you set up the advanced code scanning, you can manage the workflow file for the code scanning. It works as any GitHub Actions workflow, you can define triggers (push, pull request, scheduled, workflow dispatch and more), steps, how it is supposed to run, custom CodeQL queries, etc.
• Describe how code scanning relates to GitHub Actions consumption:
  The code scanning basically is a workflow that you don't need to create (kinda like GitHub pages?). Even if you choose the default configuration, which doesn't provide a workflow file, it's still a workflow in your repo, that can be triggered by pushes, PRs, schedules, etc. It also means that, if your repository is private, it will consume your GitHub Actions minutes.

Use code scanning with third-party tools

• Enable code scanning for use with a third-party analysis:
  GitHub allows for third-party analysis tools. Basically it means that you "don't need" to run the scanning in GitHub, you can run anywhere, upload the results and see the security alerts in Security tab. The results must use SARIF 2.1.0 format. How you upload the results depends on how you generated them, but you can use the code-scanning API, the CodeQL CLI or GitHub Actions.
• Contrast the steps for using CodeQL versus third party analysis when enabling code scanning:
  Using third party tools is a little (a lot) more complex to enable code scanning. First, you don't need to set up the code scanning in Settings tab > Code security and analysis, because you're not using it. But you need to define How you're going to upload your SARIF files, used by GitHub to generate security alerts. It can be done by GitHub Actions, using the upload-sarif workflow. Or it can be done manually with the code-scanning API or the CodeQL CLI.
• Contrast how to implement CodeQL analysis in a GitHub Actions workflow versus a third-party CI tool:
  In the end, the configuration is not so different if you're using the advanced set up. You can configure your workflow file with both to run on PRs, pushes, etc. Depending on which third-party tool you're using, you can generate the sarif file right in the action and upload it from there, so almost the same work as using CodeQL. But I believe CodeQL still makes it easier and simpler to use (specially if you set up default, but even advanced is easier). Also, you can configure how CodeQL scans your code, like when to run and what to ignore.

Configure code scanning

• Describe how code scanning fits in the software development life cycle:
  Well, since is very customizable (you can simply edit the workflow file if you choose advanced setup) it can fit diverse needs of development teams. You can use it to create Quality Gates triggering with PRs, or use it on a scheduled basis to validade daily or weekly changes. Anyway your team decides to use it, it will improve the development life cycle from code quality perspective.
• Contrast the frequency of code scanning workflows (scheduled versus triggered by events):
  With the advanced set up, you have access to the workflow file that runs the code scanning. It means that you can customize when your workflow is going to run defining action triggers like on:push, on:pull_request or schedules on:schedule:-cron: '0 0 * * 7' using CRON format. You can even choose on:workflow_dispatch if you want to run code scanning on demand (it's very useful, I use a lot). The uses are up to you.
• Choose a triggering event for a given development pattern (for example, in a pull request and for specific files):
  If you're triggering your code scanning with on:push, on:pull_request you can define custom properties in the workflow file, like which branchs will be affected branches: [main, "release/*"] or if it should ignore files paths-ignore: - '**/*.md' (it is useful if you're doing a documentation PR or something that is not related to code). All of this is available in GitHub Actions triggers documentations.
• Edit the default template for Actions workflow to fit an active, open source, production repository:
  As it was said earlier, with advanced set up you're free to edit the workflow file as you want to fit your needs. For example, if you have a repo that have many commits frequently, maybe a best strategy is using on:pull_request instead of on:push and requiring a pull request before merging with main branch.

Note

I'm not sure if I understood this topic... I mean, it is about editing the workflow file, but what exactly does it want? Anybody knows?

Hope you like it!

Test answers:

1. B
2. A
3. C
4. B
5. B

Footnotes

1. SAST: Static Application Security Testing. ↩

[courtneycl]

👋 Hi @Salgado2004!

Determine if a given user role will see secret scanning alerts:
Security managers, repository admins, and organization/enterprise owners will have access by default. Custom roles with read/write access can also be given access to scanning alerts.

I'm a little confused in this part. Cause I've read that the one person that commited the secret will receive a notification regardless of the notification preference. Does it mean they have access to the alert in the security tab also? Or are they just notified they messed up?

The person who commits the secret will indeed always receive an email notification with a link to the alert, but without having been granted access to secret scanning alerts, they won't be able to view all alerts within the security tab of the repository. They only can access the alert by navigating from the link in their email.

[Salgado2004]

Hello @courtneycl!
I get it now 😅 makes much more sense! Thank you

[queenofcorgis]

@Salgado2004 - we're missing you too this week, your study guides have been great supplementary learning and I look forward to seeing them each week. Will you be joining us for Week Three's Code QL section?

[Salgado2004]

Hello @queenofcorgis!
Thanks for the encouragement! 🥹 This week was a bit rough so I took a little longer, but I'm not failing my contribution 😁

[bos-hieu]

1. C
2. A
3. C
4. B
5. B

The first question is a tricky one. Initially, I thought the answer was option B, but after reviewing some public repositories, I didn’t find any option for changing the secret scanning settings. Therefore, I believe we need admin permissions to modify the settings.

[juanlujand]

Question 1: What do you need to do if you want to change the settings for secret scanning on a public repository?
A) Enable secret scanning on the repository.
Question 2: Where can you configure the recipients of secret scanning alerts?
A) In the Code security and analysis settings of a repository
Question3 :
C) 500
Question 4: Which tool is primarily used for code scanning in GitHub Actions?
B) CodeQL
Question 5: How can third-party analysis tools be integrated with GitHub code scanning?
B) By using GitHub Marketplace actions

[suleman23194]

C) Get admin permissions on the repository.
A) In the Code security and analysis settings of a repository.
D) 1000.
B) CodeQL.
B) By using GitHub Marketplace actions.

[queenofcorgis]

The answers are...

Answers

Question 1: What do you need to do if you want to change the settings for secret scanning on a public repository?
Answer: B) Switch the repository to a private one with GitHub Advanced Security.

Question 2: Where can you configure the recipients of secret scanning alerts?
Answer: A) In the Code security and analysis settings of a repository

Question 3: How many custom patterns can you create for an organization?
Answer: C) 500

Question 4: Which tool is primarily used for code scanning in GitHub Actions?
Answer: B) CodeQL

Question 5: How can third-party analysis tools be integrated with GitHub code scanning?
Answer: B) By using GitHub Marketplace actions

[queenofcorgis]

Keep the momentum going and join Part Three's Discussion on CodeQL!

[Yordan-Ramchev]

1. C) Get admin permissions on the repository
2. B) In the Manage Access settings of a repository
3. C) 500
4. B) CodeQL
5. B) By using GitHub Marketplace actions

[davevad93]

Question 1: What do you need to do if you want to change the settings for secret scanning on a public repo?

B) Switch the repository to a private one with GitHub Advanced Security.

Question 2: Where can you configure the recipients of secret scanning alerts?

A) In the Code security and analysis settings of a repository

Question 3: How many custom patterns can you create for an organization?

C) 500

Question 4: Which tool is primarily used for code scanning in GitHub Actions?

B) CodeQL

Question 5: How can third-party analysis tools be integrated with GitHub code scanning?

B) By using GitHub Marketplace actions