Review GitHub Enterprise security options

[NickCorcoran]

• [ ] Review GitHub Advanced Security
  • what capabilities?
  • does it cost extra?
• [ ] Review Automatic Security and Version Updates
  • what capabilities?
• [ ] Report to Justin

[NickCorcoran]

Meeting scheduled w/ GItHub staff on 28 June 2021.

[NickCorcoran]

SSO Links:

• https://docs.github.com/en/organizations/managing-saml-single-sign-on-for-your-organization/connecting-your-identity-provider-to-your-organization
• https://docs.github.com/en/organizations/managing-saml-single-sign-on-for-your-organization
• https://docs.github.com/en/organizations

GHAS Deep-Dive / Demo : To be scheduled / 2nd week of July GHAS Background and Links: In regards to GitHub Advanced Security: range of services, integration , training , support : here is a breakdown

Range of Services

GitHub provides Security features across both GitHub Enterprise and GitHub Advanced Security. At a glance, here is what is offered in each:

Included in GitHub Enterprise: Securing your software supply chain https://docs.github.com/en/code-security/supply-chain-security Understanding your software supply chain https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain Keeping your dependencies updated automatically https://docs.github.com/en/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically Managing vulnerabilities in your project's dependencies https://docs.github.com/en/code-security/supply-chain-security/managing-vulnerabilities-in-your-projects-dependencies

Included in GitHub Advanced Security: Code scanning alerts : https://docs.github.com/en/code-security/secure-coding Automatically detect security vulnerabilities and coding errors in new or modified code. Potential problems are highlighted, with detailed information, allowing you to fix the code before it's merged into your default branch. For more information, see "About code scanning."

Secret scanning alerts : https://docs.github.com/en/code-security/secret-security For private repositories, view any secrets that GitHub has found in your code. You should treat tokens or credentials that have been checked into the repository as compromised. For more information, see "About secret scanning." Dependency review Show the full impact of changes to dependencies and see details of any vulnerable versions before you merge a pull request. For more information, see "About dependency review."

Training and Support

In regards to training: We can work through our Professional Services team to determine which areas BC Gov would like to be trained on around Securing the SDLC. This includes both GitHub Enterprise and GitHub Advanced Security. We would need to schedule a scoping call to determine your needs. In regards to support: BC Gov has continued access to our GitHub Support Engineers for any technical questions or issues. This is included with your GitHub Enterprise agreement and at no additional cost: https://enterprise.github.com/support

[NickCorcoran]

This ticket to be closed. Details on Deep Dive to be documented in separate ticket.