The GitHub Services Engineers have released the Advanced Security Enforcer GitHub Action to enable organizations to utilize code scanning in a consistent and automated way.
Adopting GitHub Advanced Security features like code scanning and secret scanning can greatly improve an organization’s security posture. It actually detects and prevents security issues in code by allowing you to see security issues in your pull requests as part of your code review process. Today, the path to rolling those features out to your organization just got a lot easier!
The Advanced Security Enforcer GitHub Action was built by the GitHub Services Engineers to enable a large government agency to utilize code scanning in a consistent and automated way. As the agency continues to grow, they can rest assured that each new repository will be configured for code scanning. This enables them to find high-priority, exploitable security issues in their code at the scale of their entire organization. Now, it has been open sourced so everyone can use and improve it!
The Advanced Security Enforcer is a GitHub Action available on the GitHub Marketplace. Organizations that want newly created code repositories using a compatible language can run the action nightly. This means teams don’t have to start from a template repository and they will still be brought into compliance. The following languages are compatible with code scanning at this time with more coming soon!
When you’ve configured a repository in your organization to start running this action, any time you create a new repository, a pull request will be opened in that repository with a configuration file for code scanning. You just need to supply the action with access to your organization so that it can determine when new repositories are created.
To get started, create a new repository in the organization you want to use this action in and copy the default workflow file from the GitHub Actions page. Here is what it looks like when I do that in my demo organization.
Then you will need to set up the repository secrets GH_ACTOR, GH_TOKEN, and ORGANIZATION. GH_ACTOR should just represent a valid email address for your organization. This allows the action to get a higher rate limit when interfacing with the GitHub API. GH_TOKEN should be a token with repo read permissions to all repositories in the organization—preferably from a service account. Lastly, the ORGANIZATION should just be the name of the organization as it appears in GitHub.
Now that you have set that up, you can see the previous action runs as they are available daily.
We encourage you to set up this action and start the process of improving your organization’s security today.
We’re always looking to improve this action, and are eager to hear how it is working for you. If you’d like to help contribute to this action, check out our contributing guide.
Start your free trial for 30 days and increase your team’s collaboration. $21 per user/month after trial expires.
Curious about other plans?
In March, we experienced two incidents that resulted in degraded performance across GitHub services.
This blog post is an in-depth walkthrough on how we perform security research leveraging GitHub features, including code scanning, CodeQL, and Codespaces.
In this post, I’ll look at CVE-2023-6241, a vulnerability in the Arm Mali GPU that allows a malicious app to gain arbitrary kernel code execution and root on an Android phone. I’ll show how this vulnerability can be exploited even when Memory Tagging Extension (MTE), a powerful mitigation, is enabled on the device.
Zack Koppert 
