Table of Contents<\/h2>\n\n- What is GHAS?<\/a><\/li>\n
- Why GHAS?<\/a><\/li>\n
- Features of GHAS<\/a><\/li>\n
- Components of GHAS<\/a><\/li>\n
- Conclusion<\/a><\/li>\n
- References<\/a><\/li>\n<\/ol>\n<\/div>\n
1. What is GHAS?<\/h2>\n
GitHub Advanced Security (GHAS) is a suite of built-in security capabilities designed to help software teams identify, prevent, and remediate security risks directly within GitHub.<\/p>\n
It enhances the software development lifecycle<\/a> by integrating automated security testing into the developer workflow, ensuring vulnerabilities are caught early and remediated quickly.<\/p>\nGHAS empowers organizations with advanced code analysis, secret exposure detection, and dependency vulnerability management – all without requiring additional external tools.<\/p>\n
2. Why GHAS?<\/h2>\n
Modern applications rely heavily on open-source libraries, automation, cloud services, and complex CI\/CD systems.<\/p>\n
This increases the risk of:<\/p>\n
\n- Vulnerable code entering production<\/li>\n
- Hardcoded secrets getting exposed<\/li>\n
- Using outdated or vulnerable dependencies<\/li>\n
- Insecure GitHub Actions workflows<\/li>\n<\/ul>\n
GHAS helps solve these problems by:<\/strong><\/p>\n\n- Providing shift-left security<\/li>\n
- Reducing reliance on multiple scattered tools<\/li>\n
- Offering seamless GitHub integration<\/li>\n
- Automating alerts, scanning, and remediation<\/li>\n
- Improving developer productivity<\/li>\n<\/ul>\n\n
Are you looking: Shift-left security solutions<\/a><\/p>\n<\/div>\n3. Features of GHAS<\/h2>\n
GHAS provides the following major capabilities:<\/p>\n
Code Scanning (via CodeQL)<\/h3>\n\n- Performs static code analysis<\/li>\n
- Detects vulnerabilities like SQL injection, XSS<\/li>\n
- Runs via CLI, GitHub Actions, and API<\/li>\n<\/ul>\n
Code Scanning PoC (CodeQL)<\/h3>\nUnderstanding CodeQL<\/h5>\n
CodeQL is the static analysis engine used by GitHub Advanced Security<\/strong> to detect security vulnerabilities in codebases.<\/p>\nDevelopers can query code like a database<\/strong>, identifying patterns that could lead to:<\/p>\n\n- SQL injection<\/li>\n
- XSS attacks<\/li>\n
- Hardcoded secrets<\/li>\n
- Lack of rate limiting<\/li>\n
- Command injection & more<\/li>\n<\/ul>\n
CodeQL scanning can be executed: Locally with CodeQL CLI<\/p>\n
\n- On GitHub via CodeQL workflow<\/li>\n
- Through GitHub API<\/a><\/li>\n<\/ul>\n
Objective of This PoC<\/h5>\n\n- Introduce vulnerable application code<\/li>\n
- Configure CodeQL workflow in GitHub<\/li>\n
- Trigger scan via push event<\/li>\n
- Validate alerts shown in Security \u2192 Code Scanning<\/strong><\/li>\n
- Apply secure fixes<\/li>\n
- Confirm alerts marked resolved<\/strong> after mitigation<\/li>\n<\/ul>\n
Repository Setup<\/h5>\n
Folder structure added:<\/p>\n
codeql-poc\/ \u2514\u2500\u2500 app.js<\/p>\n
Initial vulnerable code committed to repo.<\/p>\n
Repo: https:\/\/github.com\/himanshu0085\/ghas-poc<\/a><\/p>\n<\/p>\n
<\/p>\n
Introducing Vulnerabilities<\/h5>\n
codeql-poc\/app.js<\/code> \u2014 intentionally insecure:<\/p>\n\n- SQL Injection<\/li>\n
- Cross-Site Scripting (XSS)<\/li>\n
- Hardcoded secret<\/li>\n
- Missing rate limiting<\/li>\n<\/ul>\n
![\"\"](\"https:\/\/opstree.com\/blog\/wp-content\/uploads\/2025\/12\/image-2-1024x488.png\")
<\/p>\n
Enable CodeQL Code Scanning<\/h5>\n\n- Go to Security<\/strong> tab<\/li>\n
- Under Code Scanning<\/strong>, Click Set up CodeQL<\/strong><\/li>\n
- Select Default Configuration<\/strong><\/li>\n
- Commit workflow file:<\/li>\n<\/ol>\n
.github\/workflows\/codeql.yml<\/code><\/p>\nExpected Alerts<\/h5>\n
After workflow runs, CodeQL will report vulnerabilities:<\/p>\n
\n
1. What is GHAS?<\/h2>\n
GitHub Advanced Security (GHAS) is a suite of built-in security capabilities designed to help software teams identify, prevent, and remediate security risks directly within GitHub.<\/p>\n
It enhances the software development lifecycle<\/a> by integrating automated security testing into the developer workflow, ensuring vulnerabilities are caught early and remediated quickly.<\/p>\n GHAS empowers organizations with advanced code analysis, secret exposure detection, and dependency vulnerability management – all without requiring additional external tools.<\/p>\n Modern applications rely heavily on open-source libraries, automation, cloud services, and complex CI\/CD systems.<\/p>\n This increases the risk of:<\/p>\n GHAS helps solve these problems by:<\/strong><\/p>\n Are you looking: Shift-left security solutions<\/a><\/p>\n<\/div>\n GHAS provides the following major capabilities:<\/p>\n CodeQL is the static analysis engine used by GitHub Advanced Security<\/strong> to detect security vulnerabilities in codebases.<\/p>\n Developers can query code like a database<\/strong>, identifying patterns that could lead to:<\/p>\n CodeQL scanning can be executed: Locally with CodeQL CLI<\/p>\n Folder structure added:<\/p>\n codeql-poc\/ \u2514\u2500\u2500 app.js<\/p>\n Initial vulnerable code committed to repo.<\/p>\n Repo: https:\/\/github.com\/himanshu0085\/ghas-poc<\/a><\/p>\n <\/p>\n <\/p>\n After workflow runs, CodeQL will report vulnerabilities:<\/p>\n2. Why GHAS?<\/h2>\n
\n
\n
3. Features of GHAS<\/h2>\n
Code Scanning (via CodeQL)<\/h3>\n
\n
Code Scanning PoC (CodeQL)<\/h3>\n
Understanding CodeQL<\/h5>\n
\n
\n
Objective of This PoC<\/h5>\n
\n
Repository Setup<\/h5>\n
Introducing Vulnerabilities<\/h5>\n
codeql-poc\/app.js<\/code> \u2014 intentionally insecure:<\/p>\n\n
<\/p>\nEnable CodeQL Code Scanning<\/h5>\n
\n
.github\/workflows\/codeql.yml<\/code><\/p>\nExpected Alerts<\/h5>\n
![\"\"](\"https:\/\/opstree.com\/blog\/wp-content\/uploads\/2025\/12\/image-26-1024x484.png\")
<\/p>\n![\"\"](\"https:\/\/opstree.com\/blog\/wp-content\/uploads\/2025\/12\/image-27-1024x484.png\")
<\/p>\n![\"\"](\"https:\/\/opstree.com\/blog\/wp-content\/uploads\/2025\/12\/image-28-1024x484.png\")
<\/p>\n![\"\"](\"https:\/\/opstree.com\/blog\/wp-content\/uploads\/2025\/12\/image-29-1024x474.png\")
<\/p>\n![\"\"](\"https:\/\/opstree.com\/blog\/wp-content\/uploads\/2025\/12\/image-30-1024x474.png\")
<\/p>\n![\"\"](\"https:\/\/opstree.com\/blog\/wp-content\/uploads\/2025\/12\/image-31-1024x474.png\")
<\/p>\n![\"\"](\"https:\/\/opstree.com\/blog\/wp-content\/uploads\/2025\/12\/image-32-1024x484.png\")
<\/p>\n![\"\"](\"https:\/\/opstree.com\/blog\/wp-content\/uploads\/2025\/12\/image-10-1024x549.png\")
<\/p>\n![\"\"](\"https:\/\/opstree.com\/blog\/wp-content\/uploads\/2025\/12\/image-11-1024x491.png\")
<\/p>\n![\"\"](\"https:\/\/opstree.com\/blog\/wp-content\/uploads\/2025\/12\/image-12-1024x484.png\")
<\/p>\n![\"\"](\"https:\/\/opstree.com\/blog\/wp-content\/uploads\/2025\/12\/image-13-1024x484.png\")
<\/p>\n![\"\"](\"https:\/\/opstree.com\/blog\/wp-content\/uploads\/2025\/12\/image-14-1024x484.png\")
<\/p>\n![\"\"](\"https:\/\/opstree.com\/blog\/wp-content\/uploads\/2025\/12\/image-15-1024x484.png\")
<\/p>\n![\"\"](\"https:\/\/opstree.com\/blog\/wp-content\/uploads\/2025\/12\/image-16-1024x656.png\")
<\/p>\n![\"\"](\"https:\/\/opstree.com\/blog\/wp-content\/uploads\/2025\/12\/image-17-1024x484.png\")
<\/p>\n![\"\"](\"https:\/\/opstree.com\/blog\/wp-content\/uploads\/2025\/12\/image-18-1024x491.png\")
<\/p>\n![\"\"](\"https:\/\/opstree.com\/blog\/wp-content\/uploads\/2025\/12\/image-19-1024x484.png\")
<\/p>\n![\"\"](\"https:\/\/opstree.com\/blog\/wp-content\/uploads\/2025\/12\/image-20-1024x484.png\")
<\/p>\n![\"\"](\"https:\/\/opstree.com\/blog\/wp-content\/uploads\/2025\/12\/image-21-1024x484.png\")
<\/p>\n![\"\"](\"https:\/\/opstree.com\/blog\/wp-content\/uploads\/2025\/12\/image-22-1024x484.png\")
<\/p>\n![\"\"](\"https:\/\/opstree.com\/blog\/wp-content\/uploads\/2025\/12\/image-23-1024x555.png\")
<\/p>\n![\"\"](\"https:\/\/opstree.com\/blog\/wp-content\/uploads\/2025\/12\/image-24-1024x537.png\")
<\/p>\n![\"\"](\"https:\/\/opstree.com\/blog\/wp-content\/uploads\/2025\/12\/image-25-1024x482.png\")
<\/p>\n