This is the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

Best Practices: GitHub Security Campaign

Learn how to plan, execute, and monitor GitHub security campaigns using Endor Labs and GitHub Advanced Security.

This is the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

Learn how to plan, execute, and monitor GitHub security campaigns using Endor Labs and GitHub Advanced Security.

A GitHub Security Campaign is a time-bound effort to find, fix, and prevent vulnerabilities across multiple repositories. Endor Labs and GitHub Advanced Security (GHAS) turn findings into coordinated fixes that keep developers working in GitHub. This approach works well when projects share vulnerable dependencies or when your organization faces compliance deadlines.

Endor Labs generates vulnerability findings in SARIF format. Upload the SARIF output to GitHub Advanced Security manually or with a configured GHAS exporter. After import, these findings become actionable alerts that help developers triage, fix, and track vulnerabilities without leaving their familiar environment.

The security campaign allows organizations to:

  • Target a specific class of vulnerabilities, for example Log4j, or CVE-2024-xyz.
  • Drive dependency upgrades and security fixes across all affected repositories.
  • Address secrets detection and SAST findings alongside for comprehensive security remediation.
  • Enforce consistent remediation timelines and accountability across teams.
  • Monitor reduction in overall security debt using both GitHub’s campaign dashboard and Endor Labs analytics.

Ensure you have deployed Endor Labs and enabled GitHub Advanced Security before creating a security campaign.

Use GitHub Security Campaigns to coordinate large-scale remediation by importing Endor Labs findings.

  1. Run a scan with Endor Labs to generate vulnerability findings in SARIF format and upload them to GitHub Advanced Security. See SARIF output format for detailed information on generating, customizing, and uploading SARIF files.
Automatic SARIF upload
Configure Endor Labs GitHub App (Pro) with a GHAS SARIF exporter to automatically upload findings to GitHub after each scan. See Export findings to GitHub Advanced Security for setup instructions.

  1. In GitHub, navigate to Security > Campaigns > New Campaign to define your campaign parameters. Refer to security campaign guide for more information on GitHub’s campaign features and configuration options.

  2. Define the scope of your campaign.

    • Organization-wide: Apply the campaign across all repositories in your organization.
    • Selected repositories: Target specific repositories affected by the vulnerability class.
    • Teams or projects: Scope by team ownership or project grouping.

  3. Specify a clear focus area of the campaign that aligns with your security requirements. For example, remediating Log4j vulnerabilities across Java projects, or upgrading vulnerable npm packages to secure versions.

  4. Define campaign objectives with clear remediation timelines. For example, close 80% of critical dependency vulnerabilities within 30 days, or fully remediate exposed secrets within 10 days.

  5. Monitor campaign metrics in GitHub, including percentage of vulnerabilities remediated, active versus resolved alerts, and repository-level completion.

Security campaigns help you fix alerts at scale and build developer security knowledge. Follow these practices for successful campaigns.

Select a related group of security alerts for remediation rather than attempting to fix all alerts at once. For organizations building secure coding knowledge, prioritize alerts that can serve as learning opportunities.

Use Endor Labs’ reachability analysis and severity scoring to identify high-impact vulnerabilities.

  • Focus on reachable vulnerabilities where the vulnerable code is actually used in execution paths.
  • Filter by exploitability score, CVE severity, or policy violation type.
  • Use Endor Labs Dependency Graph to visualize transitive relationships and focus on the most impactful fixes.
Tip
You can tag repositories with metadata such as critical, frontend, or backend in Endor Labs and scope your campaign accordingly. Exclude inactive or archived repositories to focus efforts where they matter most.

Include links to relevant educational materials in the campaign description to help developers understand and remediate vulnerabilities effectively, such as OWASP references, secure secrets management guides, or internal upgrade instructions.

Leverage AI-powered tools to accelerate remediation while maintaining code quality:

  • Use GitHub Copilot Autofix to suggest fixes for code scanning alerts automatically, reducing manual effort.
  • Make GitHub Copilot Chat available for developers to ask questions about vulnerabilities, testing, and secure coding best practices.
  • Enable Endor Labs automated remediation PRs to create pull requests with updated dependency versions, vulnerability references (CVE IDs, severity, reachability), and compatibility checks.

Campaign managers play a critical role in maintaining momentum and ensuring developers have the support they need to succeed. Campaign managers should:

  • Review PRs, provide guidance, and maintain consistent communication.

  • Provide a contact link for questions and collaboration.

  • Monitor progress and provide support where needed to ensure sustained engagement.

  • Help resolve complex or unclear fixes through open communication with developers.

Set timelines according to issue complexity and remediation scope. Simple dependency upgrades require minimal validation, whereas compatibility or architectural fixes need extended testing and integration checks. Align campaigns with sprint cycles or release milestones. Iterative, focused campaigns lead to more predictable outcomes and better code quality.

Monitor campaign performance through GitHub dashboards. Track remediation percentage, active versus resolved alerts, repository-level progress, and time-to-fix metrics. Use GitHub Issues for task tracking and developer communication.

Tip
Use GitHub labels such as security-campaign-q4 or log4j-remediation on issues and pull requests to enable easy filtering and audit tracking across repositories.

Scenario: A critical Log4j vulnerability affects multiple Java microservices across the organization.

Campaign execution:

  1. Export a SARIF file containing all dependency vulnerabilities from Endor Labs.
  2. Upload the SARIF file to GitHub to populate alerts across affected repositories.
  3. Create a security campaign titled β€œFix outdated Log4j dependencies across all repos”.
  4. Assign the campaign to the Java development team with a 30-day remediation deadline.
  5. Developers fix vulnerabilities directly in GitHub by updating affected dependencies.
  6. The security team monitors campaign progress in GitHub until developers resolve 85% of alerts, then closes the campaign.

Outcome: The organization remediates 85% of Log4j-related vulnerabilities within 30 days, improving dependency security posture and reducing exposure to known CVEs.

Can security campaigns include private repositories?
Yes. Security campaigns work with both public and private repositories. For private repositories, turn on GitHub Advanced Security and grant the Endor Labs GitHub App the permissions it needs.
How are alerts selected for a campaign?
GitHub’s campaign filters and Endor Labs’ vulnerability data determine which alerts appear in a campaign. Use Endor Labs’ reachability analysis to prioritize alerts where vulnerable code is actively used in execution paths.
What is the maximum number of active campaigns allowed?
GitHub permits a maximum of 10 active campaigns, each with up to 1,000 alerts. You can prioritise active repositories, target specific vulnerability types, close completed campaigns swiftly, and run campaigns sequentially or split them into focused initiatives
Can multiple campaign types run simultaneously?
Yes. You can run multiple campaign types simultaneously, such as dependency remediation, secrets rotation, and license compliance. Each campaign can target different repositories, teams, or vulnerability classes.
What integrations are available for campaign management?
GitHub Security Campaigns integrate with GitHub Issues, GitHub Actions, Slack, Jira, and Endor Labs. You can export Campaign data to business intelligence tools and internal reporting dashboards