Customer Stories
Strengthening Security with GitHub Advanced Security
Stronger, faster, and more transparent security process empowering developers to address issues in real time.
Introduction
A leading North American distributor with decades of experience wanted to modernize its application security practices. For years, it relied on SonarQube for code analysis, but the system was limited in coverage and required extensive manual configuration. Only a fraction of its repositories were being scanned, leaving potential vulnerabilities undiscovered.
Partnering with Xebia, the company transitioned from SonarQube to GitHub Advanced Security (GHAS). Within weeks, Xebia helped migrate over two thousand repositories, trained teams on secure development practices, and enabled full coverage across the company’s GitHub environment.
At a Glance
Challenge
Limited visibility and coverage in SonarQube, high manual effort, and lack of actionable security insights
Solution
Migration to GitHub Advanced Security using a phased approach, custom reporting, and hands-on training
Results
2,000+ repositories secured
100% code coverage achieved
35,000+ actionable alerts generated for remediation
The Challenge
As one of North America’s largest wholesale distributors, the client operates thousands of locations and employs tens of thousands of associates. Managing security at such scale required robust, automated, and integrated tools.
While SonarQube had been a trusted solution, its cost and manual setup limited effectiveness. Only twelve percent of the company’s repositories were being scanned, and the process produced frequent false positives. The security team needed a scalable alternative that could integrate seamlessly into existing developer workflows and provide real-time insight into vulnerabilities.
The Solution
To validate the transition, Xebia developed a proof of concept that compared GHAS and SonarQube performance side by side. The results clearly demonstrated GHAS’s advantages in speed, accuracy, and ease of integration.
Building on that success, Xebia created a full migration plan focused on enabling GitHub Advanced Security across all repositories hosted in GitHub Enterprise Cloud. The implementation included:
Sandbox Testing
Establishing a secure testing environment with known vulnerabilities to validate scanning accuracy.
Phased Rollout
Enabling GHAS in stages, beginning with Secret Scanning, then CodeQL-based Code Scanning, followed by Dependency Scanning with Dependabot.
Process Automation
Introducing branch protection rules that required CodeQL status checks, ensuring vulnerabilities were addressed before merges.
Training and Knowledge Transfer
Conducting workshops for developers and security specialists to help them interpret GHAS alerts and apply remediations efficiently.
By using the OWASP Juice Shop as a benchmark for testing, Xebia ensured that GHAS covered the most common and critical vulnerabilities seen in real-world applications.
The Outcome
The move to GHAS transformed the company’s security posture. Full repository coverage was achieved, enabling developers and administrators to respond to issues faster and with greater accuracy.
The platform generated more than 35,000 actionable alerts, guiding developers toward targeted improvements. The company’s security visibility improved dramatically, and workflows became faster and less reliant on manual oversight.
The migration also improved scalability. With GHAS now supporting hundreds of licenses, the system can grow effortlessly as new developers join the organization.
Key Learnings
- Centralized CodeQL files simplify advanced security configuration.
- Automated workflows accelerate vulnerability detection and remediation.
- Manual or API-driven actions may be required to enable organization-wide scanning.
- Developer engagement and training are key to long-term adoption success.
Looking ahead
Following the migration, the company is continuing to strengthen its DevSecOps practices. Future plans include implementing GitHub Advanced Security for Developers and Security Specialists, along with GitHub Actions and Copilot training to further automate and enhance code quality. By integrating automation, AI, and proactive security practices, the organization is paving the way for a safer, more efficient development future.
"The move to GHAS was quick and efficient, integrating seamlessly with existing workflows." Randy Pagels, DevOps Architect and Trainer at Xebia
Contact