|
| 1 | +--- |
| 2 | +title: GitHub Advanced Security step configuration |
| 3 | +description: Scan code repositories with GitHub Advanced Security (GHAS). |
| 4 | +sidebar_label: GitHub Advanced Security step configuration |
| 5 | +sidebar_position: 201 |
| 6 | +--- |
| 7 | + |
| 8 | +<DocsTag text="Code repo scanners" backgroundColor="#cbe2f9" textColor="#0b5cad" link="/docs/security-testing-orchestration/whats-supported/scanners?view-by=target-type#code-repo-scanners" /> |
| 9 | +<DocsTag text="Orchestration" backgroundColor="#e3cbf9" textColor="#5c0bad" link="/docs/security-testing-orchestration/get-started/key-concepts/run-an-orchestrated-scan-in-sto" /> |
| 10 | +<DocsTag text="Extraction" backgroundColor="#e3cbf9" textColor="#5c0bad" link="/docs/security-testing-orchestration/get-started/key-concepts/extraction-scans" /> |
| 11 | +<DocsTag text="Ingestion" backgroundColor="#e3cbf9" textColor="#5c0bad" link="/docs/security-testing-orchestration/get-started/key-concepts/ingest-scan-results-into-an-sto-pipeline" /> |
| 12 | +<br/> |
| 13 | +<br/> |
| 14 | + |
| 15 | +The GitHub Advanced Security (GHAS) step in Harness STO enables you to scan your code repositories from the following GHAS products: |
| 16 | + |
| 17 | +- **[CodeQL](#codeql) (SAST):** Identify code vulnerabilities. Supported in [**Orchestration**](#scan-mode), [**Extraction**](#scan-mode), and [**Ingestion**](#scan-mode). |
| 18 | +- **[Dependabot](#dependabot) (SCA):** Detect vulnerable open-source dependencies. Supported in [**Orchestration**](#scan-mode), [**Extraction**](#scan-mode), and [**Ingestion**](#scan-mode). |
| 19 | +- **[Secret Scanning](#secret-scanning):** Detect exposed secrets such as API keys and tokens. Supported in [**Extraction**](#scan-mode) and [**Ingestion**](#scan-mode). |
| 20 | + |
| 21 | +:::info |
| 22 | +- To run scans as a non-root user, you can use custom STO scan images and pipelines. See [Configure your pipeline to use STO images from private registry](/docs/security-testing-orchestration/use-sto/set-up-sto-pipelines/configure-pipeline-to-use-sto-images-from-private-registry). |
| 23 | +- STO supports multiple workflows for loading self-signed certificates. See [Run STO scans with custom SSL certificates](/docs/security-testing-orchestration/use-sto/secure-sto-pipelines/ssl-setup-in-sto/#supported-workflows-for-adding-custom-ssl-certificates). |
| 24 | +::: |
| 25 | + |
| 26 | +## GitHub Advanced Security step settings |
| 27 | + |
| 28 | +The recommended workflow is to add a GitHub Advanced Security step to a **Security** or **Build** stage and configure it as described below. |
| 29 | + |
| 30 | +### Scan |
| 31 | + |
| 32 | +#### Scan Mode |
| 33 | + |
| 34 | +- **Orchestration**: Executes the scan, normalizes, and deduplicates results. Supported for **CodeQL** and **Dependabot**. |
| 35 | + :::note |
| 36 | + - To comply with [GitHub’s licensing requirements](https://docs.github.com/en/get-started/learning-about-github/about-github-advanced-security#about-github-advanced-security-products), orchestration scans are uploaded to GitHub and then imported into STO. |
| 37 | + - **Orchestration** mode currently supports *Python (pip)* and *JavaScript/TypeScript (npm or yarn)*. **Extraction** mode supports all languages available in GHAS. |
| 38 | + ::: |
| 39 | + |
| 40 | +- **Extraction**: Pulls existing results from GitHub APIs (**CodeQL**, **Dependabot**, **Secret Scanning**). |
| 41 | +- **Ingestion**: Ingests SARIF files from previously run GHAS scans. |
| 42 | + |
| 43 | +#### Scan Configuration |
| 44 | + |
| 45 | +import StoSettingProductConfigName from './shared/step-palette/scan/config-name.md'; |
| 46 | + |
| 47 | +<StoSettingProductConfigName /> |
| 48 | + |
| 49 | +The GitHub Advanced Security step supports the following configurations: |
| 50 | +- **[CodeQL](#codeql)** |
| 51 | +- **[Dependabot](#dependabot)** |
| 52 | +- **[Secret Scanning](#secret-scanning)** |
| 53 | + |
| 54 | +### CodeQL |
| 55 | +You can use **CodeQL** to perform Static Application Security Testing (SAST). For details about CodeQL itself, see the [CodeQL documentation](https://docs.github.com/en/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning-with-codeql). |
| 56 | + |
| 57 | +Here are a few important points to note when using CodeQL with **Orchestration mode**: |
| 58 | +- The repository must be configured with **Advanced setup** for **CodeQL analysis**. To do this, go to your repository settings, click on **Advanced Security**, then go to **Code scanning** section and select **Advanced setup** for **CodeQL analysis**. If you're using default setup, you must switch to Advanced setup before running scans with Orchestration scan mode. |
| 59 | + |
| 60 | +For **Extraction mode**, CodeQL works with both **Default** and **Advanced setup**. |
| 61 | + |
| 62 | +--- |
| 63 | + |
| 64 | +### Dependabot |
| 65 | +You can use **Dependabot** for dependency (SCA) scans. For more information, see the [Dependabot documentation](https://docs.github.com/en/code-security/dependabot/dependabot-alerts/about-dependabot-alerts). |
| 66 | + |
| 67 | +Prerequisites for Dependabot scans: |
| 68 | +- **Dependabot alerts** must be enabled. To check this, go to your repository settings, select **Advanced Security**, then click on **Enable** for **Dependabot alerts**. |
| 69 | +- **Dependabot** with **Orchestration mode** requires a **Docker-in-Docker (DinD)** background step. When you configure this step, set the **Entrypoint** to `dockerd-entrypoint.sh` instead of `dockerd`. For setup instructions, go to [Configure Docker-in-Docker (DinD) for your pipeline](/docs/security-testing-orchestration/sto-techref-category/security-step-settings-reference#configuring-docker-in-docker-dind-for-your-pipeline). |
| 70 | + |
| 71 | +--- |
| 72 | + |
| 73 | +### Secret Scanning |
| 74 | +You can use **Secret Scanning** to detect exposed secrets such as API keys, tokens, or other sensitive values in your repositories. For more details about this feature, see the [Secret Scanning documentation](https://docs.github.com/en/code-security/securing-your-organization/understanding-your-organizations-exposure-to-leaked-secrets/choosing-github-secret-protection). |
| 75 | + |
| 76 | +Prerequisites for Secret Scanning: |
| 77 | +- **Secret protection** must be enabled. To enable this, go to your repository settings, click on **Advanced Security**, then click on **Enable** for **Secret Protection**. |
| 78 | + |
| 79 | +### Target |
| 80 | + |
| 81 | +#### Type |
| 82 | +import StoSettingScanTypeRepo from './shared/step-palette/target/type/repo.md'; |
| 83 | + |
| 84 | +<StoSettingScanTypeRepo /> |
| 85 | + |
| 86 | +#### Name |
| 87 | +import StoSettingTargetName from './shared/step-palette/target/name.md'; |
| 88 | + |
| 89 | +<StoSettingTargetName /> |
| 90 | + |
| 91 | +#### Variant |
| 92 | +import StoSettingTargetVariant from './shared/step-palette/target/variant.md'; |
| 93 | + |
| 94 | +<StoSettingTargetVariant /> |
| 95 | + |
| 96 | +#### Workspace |
| 97 | +import StoSettingTargetWorkspace from './shared/step-palette/target/workspace.md'; |
| 98 | + |
| 99 | +<StoSettingTargetWorkspace /> |
| 100 | + |
| 101 | +### Ingestion File |
| 102 | +import StoSettingIngestionFile from './shared/step-palette/ingest/file.md'; |
| 103 | + |
| 104 | +<StoSettingIngestionFile /> |
| 105 | + |
| 106 | +### Authentication |
| 107 | + |
| 108 | +#### Access Token |
| 109 | +import StoSettingAuthAccessToken from './shared/step-palette/auth/access-token.md'; |
| 110 | + |
| 111 | +<StoSettingAuthAccessToken /> |
| 112 | + |
| 113 | +Use a GitHub fine-grained **Personal Access Token (PAT)** with the following repository permissions: |
| 114 | + |
| 115 | +| **Scan Mode** | **Permission** | **Level** | |
| 116 | +|---------------|--------------------------|---------------| |
| 117 | +| **Orchestration** (CodeQL, Dependabot) | Code scanning alerts | Read & Write | |
| 118 | +| | Dependabot alerts | Read & Write | |
| 119 | +| | Secret scanning alerts | Read & Write | |
| 120 | +| **Extraction** (CodeQL, Dependabot, Secret Scanning) | Code scanning alerts | Read-only | |
| 121 | +| | Dependabot alerts | Read-only | |
| 122 | +| | Secret scanning alerts | Read-only | |
| 123 | + |
| 124 | +Make sure **Repository access** is set to *All repositories* or *Only selected repositories*. |
| 125 | + |
| 126 | +### Log Level |
| 127 | +import StoSettingLogLevel from './shared/step-palette/all/log-level.md'; |
| 128 | + |
| 129 | +<StoSettingLogLevel /> |
| 130 | + |
| 131 | +### Fail on Severity |
| 132 | +import StoSettingFailOnSeverity from './shared/step-palette/all/fail-on-severity.md'; |
| 133 | + |
| 134 | +<StoSettingFailOnSeverity /> |
| 135 | + |
| 136 | +### Additional Configuration |
| 137 | +import ScannerRefAdditionalConfigs from './shared/additional-config.md'; |
| 138 | + |
| 139 | +<ScannerRefAdditionalConfigs /> |
| 140 | + |
| 141 | +### Advanced Settings |
| 142 | +import ScannerRefAdvancedSettings from './shared/advanced-settings.md'; |
| 143 | + |
| 144 | +<ScannerRefAdvancedSettings /> |
| 145 | + |
| 146 | +## Proxy settings |
| 147 | +import ProxySettings from './shared/proxy-settings.md'; |
| 148 | + |
| 149 | +<ProxySettings /> |
0 commit comments