This article is part of a series on adopting GitHub Advanced Security at scale. For the previous article in this series, see "Phase 1: Align on your rollout strategy and goals."
Code scanning is a feature that you use to analyze the code in a GitHub repository to find security vulnerabilities and coding errors. Any problems identified by the analysis are shown in GitHub Enterprise Cloud. For more information, see "About code scanning."
Rolling code scanning out across hundreds of repositories can be difficult, especially when done inefficiently. Following these steps will ensure your rollout is both efficient and successful.
Code scanning is also available for all public repositories on GitHub.com without a license for GitHub Advanced Security.
First, prepare your teams to use code scanning. The more teams that use code scanning, the more data you'll have to drive remediation plans and monitor progress on your rollout.
For an introduction to code scanning, see:
- "About code scanning"
- "About code scanning alerts"
- "Managing code scanning alerts for your repository"
Your core focus should be preparing as many teams to use code scanning as possible. You can also encourage teams to remediate appropriately, but we recommend prioritizing enablement and use of code scanning over fixing issues during this phase.
Note: When secret scanning detects a secret in repositories owned by organizations that use GitHub Enterprise Cloud and have a license for GitHub Advanced Security, GitHub alerts all users with access to security alerts for the repository.
Secrets found in public repositories using secret scanning alerts for partners are reported directly to the partner, without creating an alert on GitHub Enterprise Cloud. For details about the supported partner patterns, see "Secret scanning patterns."
If a project communicates with an external service, it might use a token or private key for authentication. If you check a secret into a repository, anyone who has read access to the repository can use the secret to access the external service with your privileges. Secret scanning will scan your entire Git history on all branches present in your GitHub repositories for secrets and alert you or block the push containing the secret. For more information, see "About secret scanning."
Secret scanning alerts for partners runs automatically on public repositories and public npm packages to notify service providers about leaked secrets on GitHub.com.
Secret scanning alerts for users are available for free on all public repositories.
Enabling secret scanning at the organizational level can be easy, but clicking Enable All at the organization level and selecting the option Automatically enable secret scanning for every new repository has some downstream effects that you should be aware of:
Enabling secret scanning for all repositories will consume all your licenses, even if no one is using code scanning. This is fine unless you plan to increase the number of active developers in your organization. If the number of active developers is likely to increase in the coming months, you may exceed your license limit and then be unable to use GitHub Advanced Security on newly created repositories.
If you are enabling secret scanning on a large organization, be prepared to see a high number of secrets found. Sometimes this comes as a shock to organizations and the alarm is raised. If you would like to turn on secret scanning across all repositories at once, plan for how you will respond to multiple alerts across the organization.
Secret scanning can be enabled for individual repositories. For more information, see "Configuring secret scanning for your repositories." Secret scanning can also be enabled for all repositories in your organization, as described above. For more information on enabling for all repositories, see "Managing security and analysis settings for your organization."
Secret scanning detects a large number of default patterns but can also be configured to detect custom patterns, such as secret formats unique to your infrastructure or used by integrators that GitHub Enterprise Cloud's secret scanning does not currently detect. For more information about supported secrets for partner patterns, see "Secret scanning patterns."
As you audit your repositories and speak to security and developer teams, build a list of the secret types that you will later use to configure custom patterns for secret scanning. For more information, see "Defining custom patterns for secret scanning."
For the next article in this series, see "Phase 3: Pilot programs."