From the course: GitHub Advanced Security Cert Prep by Microsoft Press
Join today to access over 24,700 courses taught by industry experts.
Contrast the steps for using CodeQL versus third-party analysis when enabling code scanning - GitHub Tutorial
From the course: GitHub Advanced Security Cert Prep by Microsoft Press
Contrast the steps for using CodeQL versus third-party analysis when enabling code scanning
“
- [Instructor] Okay, yes, this is a important question. Are you looking at either/or, both/and? This analysis may result in you are not purchasing GitHub Advanced Security right now, or it may solidify your decision to go with GHAS, and then layer in third-party tools on top, but let's look at some top line distinctions. CodeQL has a huge advantage because it's made by GitHub, and therefore, it's natively integrated with not only GitHub Actions, but the entire GitHub APIs. You have the QL language with built-in query packs, community-contributed query packs, and you can write your own queries for very specific code-scanning security analysis. The biggest hurdle to CodeQL, in my personal experience, is that the syntax and config is pretty dense. That's just my opinion. Third-party tools, you can take advantage of all of the premium value that a software-as-a-service vendor can give, particularly if it's a proprietary company. Predefined rule sets, but then again, you're limited to the…
Download courses and learn on the go
Watch courses on your mobile device without an internet connection. Download courses using your iOS or Android LinkedIn Learning app.
Watch this course anytime, anywhere.
Get started with a free trial today.
Contents
-
-
Learning objectives48s
-
(Locked)
Differentiate security features with open-source projects and the features available when GHAS pairs with GHEC or GHES5m 1s
-
(Locked)
Describe the features and benefits of a security overview1m 32s
-
(Locked)
Describe the differences between secret scanning and code scanning2m 34s
-
(Locked)
Describe how secret scanning, code scanning, and Dependabot create a more secure software development lifecycle4m 33s
-
(Locked)
Contrast a security scenario with an isolated security review and an advanced scenario13m 32s
-
-
-
Learning objectives41s
-
(Locked)
Describe how vulnerable dependencies are identified2m
-
(Locked)
Explain how to act on alerts from GHAS1m 47s
-
(Locked)
Explain the implications of ignoring an alert2m 12s
-
(Locked)
Explain the role of a developer when they discover a security alert2m 2s
-
(Locked)
Describe the differences in access management to view alerts for different security features2m 48s
-
(Locked)
Describe a security policy in a GitHub repository1m 2s
-
(Locked)
Identify where to use Dependabot alerts in the software development lifecycle25m 49s
-
-
-
Learning objectives43s
-
(Locked)
Describe secret scanning6m 13s
-
(Locked)
Choose when secret scanning occurs1m 16s
-
(Locked)
Contrast secret scanning availability for public and private repositories2m 18s
-
(Locked)
Enable secret scanning for private repositories1m 38s
-
(Locked)
Enable secret scanning for an organization1m 4s
-
(Locked)
Explain how to pick an appropriate response to a secret scanning alert34s
-
(Locked)
Determine if an alert is generated for a given secret, pattern, or service provider56s
-
(Locked)
Determine if a given user role will see secret scanning alerts21m 38s
-
-
-
Learning objectives29s
-
(Locked)
Configure the recipients of a secret scanning alert3m 22s
-
(Locked)
Describe how to exclude certain files from being scanned for secrets2m 51s
-
(Locked)
Explain how to enable custom secret scanning for a repository2m 43s
-
(Locked)
Explain how to enable custom secret scanning for an organization18m 2s
-
-
-
Learning objectives27s
-
(Locked)
Define a vulnerability1m 8s
-
(Locked)
Describe Dependabot alerts3m 51s
-
(Locked)
Describe Dependabot security updates2m 37s
-
(Locked)
Define the dependency graph2m 37s
-
(Locked)
Describe how the dependency graph is generated2m
-
(Locked)
Describe how alerts are generated for vulnerable dependencies14m 33s
-
-
-
Learning objectives33s
-
(Locked)
Identify the default settings for Dependabot alerts in public and private repositories1m 55s
-
(Locked)
Identify the permissions and roles required to enable Dependabot alerts1m 20s
-
(Locked)
Identify the permissions and roles required to view Dependabot alerts45s
-
(Locked)
Enable Dependabot alerts for private repositories28s
-
(Locked)
Enable Dependabot alerts for organizations1m 3s
-
(Locked)
Create a valid Dependabot configuration file55s
-
(Locked)
Configure notifications for vulnerable dependencies11m 52s
-
-
-
Learning objectives33s
-
(Locked)
Identify a vulnerable dependency from a Dependabot alert2m 51s
-
(Locked)
Identify vulnerable dependencies from a pull request1m 37s
-
(Locked)
Enable Dependabot security updates1m 21s
-
(Locked)
Remedy a vulnerability from a Dependabot alert in the Security tab51s
-
(Locked)
Remedy a vulnerability from a Dependabot alert in the context of a pull request1m 17s
-
(Locked)
Act on any Dependabot alerts by testing and merging pull requests9m 26s
-
-
-
Learning objectives26s
-
(Locked)
Describe code scanning5m 45s
-
(Locked)
List the steps for enabling code scanning in a repository using GitHub Actions3m 18s
-
(Locked)
Enable code scanning for use with a CodeQL analysis workflow2m 47s
-
(Locked)
Describe how code scanning relates to GitHub Actions consumption16m 50s
-
-
-
Learning objectives30s
-
(Locked)
Enable code scanning for use with third-party analysis5m 1s
-
(Locked)
Contrast the steps for using CodeQL versus third-party analysis when enabling code scanning2m 31s
-
(Locked)
Contrast how to implement CodeQL analysis in a GitHub Actions workflow versus a third-party CI tool14m 49s
-
-
-
Learning objectives27s
-
(Locked)
Describe how code scanning fits in the software development lifecycle1m 15s
-
(Locked)
Contrast the frequency of code scanning workflows2m 37s
-
(Locked)
Choose a triggering event for a given development pattern1m 11s
-
(Locked)
Edit the default template for the Actions workflow to fit an active, open-source, production repository15m 41s
-
-
-
(Locked)
Learning objectives32s
-
(Locked)
Introduce a CodeQL analysis workflow to a repository1m 17s
-
(Locked)
List the locations in which CodeQL queries can be specified for use with code scanning3m 23s
-
(Locked)
Configure the language matrix in a CodeQL workflow2m 47s
-
(Locked)
Reference a CodeQL query from a public repository within a code scanning workflow1m 19s
-
(Locked)
Reference a CodeQL query from a private repository within a code scanning workflow1m 12s
-
(Locked)
Reference a CodeQL query from a local directory within a code scanning workflow38s
-
(Locked)
Reference a configuration file within the same repository1m 8s
-
(Locked)
Reference a configuration file in a remote public repository1m 6s
-
(Locked)
Execute code scanning with the CodeQL CLI41s
-
(Locked)
Contrast the steps to execute code scanning in GitHub Actions vs. the CodeQL CLI10m 24s
-
(Locked)
-
-
(Locked)
Learning objectives33s
-
(Locked)
Describe how to view code scanning results from CodeQL analysis1m 49s
-
(Locked)
Troubleshoot a failing code scanning workflow using CodeQL2m 36s
-
(Locked)
Follow the data flow through code using the show paths experience1m 38s
-
(Locked)
Explain the reason for a code scanning alert given documentation linked from the alert1m 4s
-
(Locked)
Determine if and why a code scanning alert needs to be dismissed1m 22s
-
(Locked)
Describe potential shortfalls in CodeQL via a model of compilation and language support1m 47s
-
(Locked)
Optimize CodeQL analysis runtimes17m 9s
-
(Locked)
-
-
(Locked)
Learning objectives40s
-
(Locked)
Use a CVE and CWE to describe a GitHub Advanced Security alert and list potential remediation3m 34s
-
(Locked)
Advanced security alert and list potential remediation1m 48s
-
(Locked)
Describe the decision-making process for closing and dismissing security alerts1m 21s
-
(Locked)
Determine the roles and responsibilities of development and security teams on a software development workflow1m 4s
-
(Locked)
Explain how to set a review cadence with security teams when appropriate1m 37s
-
(Locked)
Use security policies to instruct all contributors to better secure their repositories2m 4s
-
(Locked)
Compare the code scanning alert against the repository's security policy53s
-
(Locked)
Align repository branch protection configuration with written security policies11m 24s
-
(Locked)
-
-
(Locked)
Learning objectives42s
-
(Locked)
Explain how GitHub Advanced Security features are enabled on GitHub Enterprise Server1m 36s
-
(Locked)
Explain how GitHub Advanced Security features are enabled for an organization48s
-
(Locked)
Set security policies for a repository58s
-
(Locked)
Set security policies for an organization1m 39s
-
(Locked)
Describe how permissions are interpreted throughout a security workflow2m 5s
-
(Locked)
Locate API endpoints for GHAS features, like secret scanning, code scanning, and Dependabot1m
-
(Locked)
List stakeholders that need to be involved in the security workflows enabled by GHAS1m 33s
-
(Locked)
Configure code scanning within a repository or organization using the default CodeQL workflow1m 6s
-
(Locked)
Identify the custom build steps necessary in a CodeQL workflow5m 27s
-
(Locked)