GitHub takes security seriously and gives you some nice capabilities to improve security of your code through all its lifecycle. GitHub actions can be used to automatically run a security code analysis in your repositories, a task that should be run for all of your repositories in your organization.

Security scanning should be enabled on all repositories

Some days ago in a GitHub blog post a new action was announced called Advanced-Security-Enforcer that is aimed to automate the task of adding GitHub Workflow to perform code analysis.

Reading the documentation, this action does the following tasks:

  • A CRON job on GitHub actions triggers a nightly run of this script
  • The script checks for new repositories by storing the known repositories to a file
  • It then iterates over new repositories and opens a pull request for the codeql.yml file stored in this repository

Basically each day, at night, this action will scan the account for new repositories (created day before) to make a pull request for codeql.yml file.

This kind of actions are interesting because they can enforce best security practices in your organization. Another possibility is to have a predefined skeleton directory for an empty project based on different type of projects; this skeleton project usually contains already predefined Action Workflows in the .github/workflow directory.

Gian Maria.