GitHub Advanced Security (GHAS) ships four tools free on public repositories: secret scanning, Dependabot, CodeQL code scanning, and Copilot Autofix. Enabling all four takes under ten clicks inside Settings, Advanced Security. Private repositories require a paid GHAS license. The setup is the least interesting part of this article.
The mechanics matter more. Dependabot converts GitHub Advisory Database entries directly into pull requests targeting vulnerable dependency versions, removing the manual CVE-tracking step entirely. Secret scanning catches committed API keys and tokens before they are exploited, but GitHub does not revoke them for you. You revoke at the source, such as Azure or Stripe, then close the alert as resolved. CodeQL analysis, set to Default mode, runs static analysis on your codebase and surfaces risky code paths in the Security tab alongside the other alerts.
The full post walks through each alert type with a linked video showing what the actual UI looks like, which is worth seeing if you have never triaged a Dependabot pull request or a secret scanning alert before. Three GitHub Skills interactive labs are referenced directly: introduction to secret scanning, securing your supply chain, and introduction to CodeQL. The vulnerable-node repository is also called out as a live practice target for running these tools against real flaws.
[READ ORIGINAL →]