Introduce a CodeQL analysis workflow to a repository - GitHub Tutorial

Contents

• Introduction Introduction

  • Introduction

    5m
• 1. Unveil GHAS Security Features 1. Unveil GHAS Security Features

  • Learning objectives

    48s
  • (Locked)
    Differentiate security features with open-source projects and the features available when GHAS pairs with GHEC or GHES

    5m 1s
  • (Locked)
    Describe the features and benefits of a security overview

    1m 32s
  • (Locked)
    Describe the differences between secret scanning and code scanning

    2m 34s
  • (Locked)
    Describe how secret scanning, code scanning, and Dependabot create a more secure software development lifecycle

    4m 33s
  • (Locked)
    Contrast a security scenario with an isolated security review and an advanced scenario

    13m 32s
• 2. Harness GHAS Features 2. Harness GHAS Features

  • Learning objectives

    41s
  • (Locked)
    Describe how vulnerable dependencies are identified

    2m
  • (Locked)
    Explain how to act on alerts from GHAS

    1m 47s
  • (Locked)
    Explain the implications of ignoring an alert

    2m 12s
  • (Locked)
    Explain the role of a developer when they discover a security alert

    2m 2s
  • (Locked)
    Describe the differences in access management to view alerts for different security features

    2m 48s
  • (Locked)
    Describe a security policy in a GitHub repository

    1m 2s
  • (Locked)
    Identify where to use Dependabot alerts in the software development lifecycle

    25m 49s
• 3. Implement Secret Scanning 3. Implement Secret Scanning

  • Learning objectives

    43s
  • (Locked)
    Describe secret scanning

    6m 13s
  • (Locked)
    Choose when secret scanning occurs

    1m 16s
  • (Locked)
    Contrast secret scanning availability for public and private repositories

    2m 18s
  • (Locked)
    Enable secret scanning for private repositories

    1m 38s
  • (Locked)
    Enable secret scanning for an organization

    1m 4s
  • (Locked)
    Explain how to pick an appropriate response to a secret scanning alert

    34s
  • (Locked)
    Determine if an alert is generated for a given secret, pattern, or service provider

    56s
  • (Locked)
    Determine if a given user role will see secret scanning alerts

    21m 38s
• 4. Tailor Secret Scanning 4. Tailor Secret Scanning

  • Learning objectives

    29s
  • (Locked)
    Configure the recipients of a secret scanning alert

    3m 22s
  • (Locked)
    Describe how to exclude certain files from being scanned for secrets

    2m 51s
  • (Locked)
    Explain how to enable custom secret scanning for a repository

    2m 43s
  • (Locked)
    Explain how to enable custom secret scanning for an organization

    18m 2s
• 5. Explore Dependency Vulnerability Tools 5. Explore Dependency Vulnerability Tools

  • Learning objectives

    27s
  • (Locked)
    Define a vulnerability

    1m 8s
  • (Locked)
    Describe Dependabot alerts

    3m 51s
  • (Locked)
    Describe Dependabot security updates

    2m 37s
  • (Locked)
    Define the dependency graph

    2m 37s
  • (Locked)
    Describe how the dependency graph is generated

    2m
  • (Locked)
    Describe how alerts are generated for vulnerable dependencies

    14m 33s
• 6. Set Up Vulnerability Management Tools 6. Set Up Vulnerability Management Tools

  • Learning objectives

    33s
  • (Locked)
    Identify the default settings for Dependabot alerts in public and private repositories

    1m 55s
  • (Locked)
    Identify the permissions and roles required to enable Dependabot alerts

    1m 20s
  • (Locked)
    Identify the permissions and roles required to view Dependabot alerts

    45s
  • (Locked)
    Enable Dependabot alerts for private repositories

    28s
  • (Locked)
    Enable Dependabot alerts for organizations

    1m 3s
  • (Locked)
    Create a valid Dependabot configuration file

    55s
  • (Locked)
    Configure notifications for vulnerable dependencies

    11m 52s
• 7. Resolve Vulnerable Dependencies 7. Resolve Vulnerable Dependencies

  • Learning objectives

    33s
  • (Locked)
    Identify a vulnerable dependency from a Dependabot alert

    2m 51s
  • (Locked)
    Identify vulnerable dependencies from a pull request

    1m 37s
  • (Locked)
    Enable Dependabot security updates

    1m 21s
  • (Locked)
    Remedy a vulnerability from a Dependabot alert in the Security tab

    51s
  • (Locked)
    Remedy a vulnerability from a Dependabot alert in the context of a pull request

    1m 17s
  • (Locked)
    Act on any Dependabot alerts by testing and merging pull requests

    9m 26s
• 8. Initiate Code Scanning 8. Initiate Code Scanning

  • Learning objectives

    26s
  • (Locked)
    Describe code scanning

    5m 45s
  • (Locked)
    List the steps for enabling code scanning in a repository using GitHub Actions

    3m 18s
  • (Locked)
    Enable code scanning for use with a CodeQL analysis workflow

    2m 47s
  • (Locked)
    Describe how code scanning relates to GitHub Actions consumption

    16m 50s
• 9. Integrate Third-Party Code Scanning 9. Integrate Third-Party Code Scanning

  • Learning objectives

    30s
  • (Locked)
    Enable code scanning for use with third-party analysis

    5m 1s
  • (Locked)
    Contrast the steps for using CodeQL versus third-party analysis when enabling code scanning

    2m 31s
  • (Locked)
    Contrast how to implement CodeQL analysis in a GitHub Actions workflow versus a third-party CI tool

    14m 49s
• 10. Configure Code Scanning 10. Configure Code Scanning

  • Learning objectives

    27s
  • (Locked)
    Describe how code scanning fits in the software development lifecycle

    1m 15s
  • (Locked)
    Contrast the frequency of code scanning workflows

    2m 37s
  • (Locked)
    Choose a triggering event for a given development pattern

    1m 11s
  • (Locked)
    Edit the default template for the Actions workflow to fit an active, open-source, production repository

    15m 41s
• 11. Discover CodeQL Scanning Capabilities 11. Discover CodeQL Scanning Capabilities

  • Learning objectives

    26s
  • (Locked)
    Describe CodeQL

    2m 19s
  • (Locked)
    Define a QL pack, code query, and code suite

    2m 3s
  • (Locked)
    Describe the default CodeQL query suites

    46s
  • (Locked)
    Describe how CodeQL analyzes code and produces results

    14m 12s
• 12. Apply CodeQL Scanning 12. Apply CodeQL Scanning

  • (Locked)
    Learning objectives

    32s
  • (Locked)
    Introduce a CodeQL analysis workflow to a repository

    1m 17s
  • (Locked)
    List the locations in which CodeQL queries can be specified for use with code scanning

    3m 23s
  • (Locked)
    Configure the language matrix in a CodeQL workflow

    2m 47s
  • (Locked)
    Reference a CodeQL query from a public repository within a code scanning workflow

    1m 19s
  • (Locked)
    Reference a CodeQL query from a private repository within a code scanning workflow

    1m 12s
  • (Locked)
    Reference a CodeQL query from a local directory within a code scanning workflow

    38s
  • (Locked)
    Reference a configuration file within the same repository

    1m 8s
  • (Locked)
    Reference a configuration file in a remote public repository

    1m 6s
  • (Locked)
    Execute code scanning with the CodeQL CLI

    41s
  • (Locked)
    Contrast the steps to execute code scanning in GitHub Actions vs. the CodeQL CLI

    10m 24s
• 13. Triage CodeQL Analysis Results 13. Triage CodeQL Analysis Results

  • (Locked)
    Learning objectives

    33s
  • (Locked)
    Describe how to view code scanning results from CodeQL analysis

    1m 49s
  • (Locked)
    Troubleshoot a failing code scanning workflow using CodeQL

    2m 36s
  • (Locked)
    Follow the data flow through code using the show paths experience

    1m 38s
  • (Locked)
    Explain the reason for a code scanning alert given documentation linked from the alert

    1m 4s
  • (Locked)
    Determine if and why a code scanning alert needs to be dismissed

    1m 22s
  • (Locked)
    Describe potential shortfalls in CodeQL via a model of compilation and language support

    1m 47s
  • (Locked)
    Optimize CodeQL analysis runtimes

    17m 9s
• 14. Incorporate External Scanning Tools 14. Incorporate External Scanning Tools

  • (Locked)
    Learning objectives

    18s
  • (Locked)
    Explain how to upload third-party SARIF results via the SARIF endpoint

    3m 11s
  • (Locked)
    Explain the purpose of defining a SARIF category

    10m 45s
• 15. Implement GHAS Best Practices 15. Implement GHAS Best Practices

  • (Locked)
    Learning objectives

    40s
  • (Locked)
    Use a CVE and CWE to describe a GitHub Advanced Security alert and list potential remediation

    3m 34s
  • (Locked)
    Advanced security alert and list potential remediation

    1m 48s
  • (Locked)
    Describe the decision-making process for closing and dismissing security alerts

    1m 21s
  • (Locked)
    Determine the roles and responsibilities of development and security teams on a software development workflow

    1m 4s
  • (Locked)
    Explain how to set a review cadence with security teams when appropriate

    1m 37s
  • (Locked)
    Use security policies to instruct all contributors to better secure their repositories

    2m 4s
  • (Locked)
    Compare the code scanning alert against the repository's security policy

    53s
  • (Locked)
    Align repository branch protection configuration with written security policies

    11m 24s
• 16. Administer GitHub Advanced Security 16. Administer GitHub Advanced Security

  • (Locked)
    Learning objectives

    42s
  • (Locked)
    Explain how GitHub Advanced Security features are enabled on GitHub Enterprise Server

    1m 36s
  • (Locked)
    Explain how GitHub Advanced Security features are enabled for an organization

    48s
  • (Locked)
    Set security policies for a repository

    58s
  • (Locked)
    Set security policies for an organization

    1m 39s
  • (Locked)
    Describe how permissions are interpreted throughout a security workflow

    2m 5s
  • (Locked)
    Locate API endpoints for GHAS features, like secret scanning, code scanning, and Dependabot

    1m
  • (Locked)
    List stakeholders that need to be involved in the security workflows enabled by GHAS

    1m 33s
  • (Locked)
    Configure code scanning within a repository or organization using the default CodeQL workflow

    1m 6s
  • (Locked)
    Identify the custom build steps necessary in a CodeQL workflow

    5m 27s
• Conclusion Conclusion

  • (Locked)
    Summary

    1m 5s