GitHub Security enforcer action

How to use GitHub Security enforcer action to automatically add Security Code Scanning to all new repositories

GitHub takes security seriously and gives you some nice capabilities to improve security of your code through all its lifecycle. GitHub actions can be used to automatically run a security code analysis in your repositories, a task that should be run for all of your repositories in your organization.

Security scanning should be enabled on all repositories

Some days ago in a GitHub blog post a new action was announced called Advanced-Security-Enforcer that is aimed to automate the task of adding GitHub Workflow to perform code analysis.

Reading the documentation, this action does the following tasks:

  • A CRON job on GitHub actions triggers a nightly run of this script
  • The script checks for new repositories by storing the known repositories to a file
  • It then iterates over new repositories and opens a pull request for the codeql.yml file stored in this repository

Basically each day, at night, this action will scan the account for new repositories (created day before) to make a pull request for codeql.yml file.

This kind of actions are interesting because they can enforce best security practices in your organization. Another possibility is to have a predefined skeleton directory for an empty project based on different type of projects; this skeleton project usually contains already predefined Action Workflows in the .github/workflow directory.

Gian Maria.