Dependency graph is part of repository Insights

GitHub uses the dependency graph to add dependency reviews to the pull request.

Pre-requisite: You need to have CI first before apply patch

• Merge Dependabot PR directly is a partial update. It always introduces consistence issue.
• Make sure CI green before patch. Otherwise there is no destination of rollback, then you have to immediate rush towards resolution.

Code security configurations

• Location: Tab Settings > Left panel Security \ Code Security > Configurations
• Apply GitHub recommended prebuilt configuration
  • It is Suggested settings for Dependabot, secret scanning, and code scanning.
  • Steps (need to be repeated regularly)
    1. Apply to > All repositories without configurations
    2. Use as default for newly created repositories: > All repositories

Global code security settings

• Location: Tab Settings > Left panel Security \ Code Security > Global settings
• Dependabot
  • Dependabot on Actions runners
• Code scanning
  • Recommend the extended query suite for repositories enabling default setup
    • Extended Query Suite detects lower risk issues, such as
      • Misconfigurations
      • Unused dependencies
      • Potentially vulnerable code patterns
• Secret scanning
  • Add a resource link in the CLI and web UI when a commit is blocked
    • a url-like text. free-form text is not allowed
    • optional if you have universal support web

About

• All features are available in public repository
• Features having native push prevention
  • dependency-review-action
  • Code scanning

Location: security_analysis > Code scanning > Tools > CodeQL analysis

• It will Overriding an existing advanced setup

• It will not introduce file in repository

• Scan Triggers

  • On push default/protected branch
  • On creating or committing to a pull request against default/protected branch, excluding pull requests from forks
  • On a weekly schedule
    • Idle: when no pushes and pull requests have occurred for 6 months

• Default setup will not run on PRs from Dependabot

• build mode for compiled languages: none for C# and Java, otherwise autobuild

• Steps: Configuring default setup for a repos

It presents as a Github workflow

• About
• It can generate a database representation (the CodeQL database) of a codebase
  • consumed by CodeQL VSCode extension
  • command: codeql database create
• You can query CodeQL database interactively
• You can generate a set of results in SARIF format
  • by running a suite of queries
    • command: codeql database analyze
  • to upload to Github for display
    • command: codeql github upload-results
• Use cases
  • offline on-prem environment
  • Use CodeQL on 3rd-party CI systems including Azure DevOps
  • Advanced code scanning: write your own query as security researcher
• e2e Example
• Install
  • dlp format: a tar archive in release page containing the CLI binary, source code and compiled of queries and libraries
  • current latest release: v2.20.0
  • validate command codeql resolve packs
• It is written in nodejs

Enabling secret scanning for your repository

It allow user to create new Dependabot rule

• to your repository
• to your organization

Compare to Dependabot alerts

• Both will find vulnerabilities
• Dependabot alerts discover that are already in your dependencies
• Dependency review prevent new vulnerabilities from being introduced

It provides a visualization of dependency changes (in package manifests or lock files) with a rich diff

• Location: tab "Files Changed" of a pull request.

• A Github Action
• By default, dependency-review-action check will fail if it discovers any vulnerable packages.
  • Part to checklist: A failed check blocks a pull request from being merged when the repository owner requires the dependency review check to pass.

• Fortify