GitHub Advanced Security (GHAS) Demo Project

This project demonstrates key GitHub Advanced Security (GHAS) features, including Code Scanning, Secret Scanning, and Dependency Management.

📌 Features

🔍 Code Scanning

Objective: Identify and fix security vulnerabilities in the source code using CodeQL analysis.

The code-scan.yml GitHub workflow

• Runs all custom queries from the custom-queries folder
• The scan runs on push and pull requests to main branch.
• Supports multi-language analysis (Currently Java)

For running CodeQL locally, please refer to the instructions provided in the run-codeql-locally file.

🔑 Secret Scanning

Objective: Detect and prevent accidental exposure of secrets.

GitHub Secret Scanning identifies exposed secrets in the application.properties file.

📦 Dependency Management

Objective: Continuously monitor dependencies for known vulnerabilities.

🔔 Dependabot Alerts

• For Gradle projects, the dependency-submission.yml GitHub workflow submits dependencies to the Dependency Graph via the Dependency Submission API.
• This enables Dependabot Alerts to detect vulnerabilities in dependencies.

🔄 Dependabot Version Updates

• Dependabot scans dependency files for outdated versions.
• Automatically creates individual pull requests (PRs) for updates.
• Configuration is managed via dependabot.yml.

🚀 Pre-requisites

1. Enable GitHub Advanced Security (GHAS) for this repository.
2. Review and configure the dependabot.yml and dependency-submission.yml files.
3. Enable the set up for Code Scanning.
4. Monitor security alerts in the GitHub Security tab.

---

🔹 Created for demonstration purposes. 🚀