SaaS company reduces developer friction with DevSecOps best practices

A SaaS organization with 300,000+ users wanted to replace its former code scanning solution with GitHub Advanced Security (GHAS) but needed confidence that the new solution could handle its sprawling, multi-repo, multi-language environment. Through daily office hours, targeted guidance, and technical troubleshooting, Modus Create helped the company build an enablement plan that did more than validate GHAS as a replacement. It demonstrated a more intuitive developer experience, with security seamlessly integrated into CI/CD workflows.

Our work involved

• GHAS advisory and enablement
• Developer and security team training
• Code scanning optimization
• CI/CD pipeline integration planning

Impact

A SaaS company delivering generative AI solutions powers the U.S. Department of Justice and nearly every major law firm in the country. As one of the key players shaping the legaltech industry, the company places a premium on trust, scalability, and developer experience.

The company wished to strengthen its DevSecOps practices by moving from its former code scanning solution to GHAS. This would allow the company to consolidate security within its existing developer workflows, improve code scan accuracy, and block hard-coded secrets at commit time.

Challenge

Validating GHAS without source code access

Although GHAS showed potential, that wasn’t enough. The company needed certainty that it could adopt the solution without compromising performance or disrupting its development workflows. The company had over 3,000 repositories in GitHub Enterprise Cloud (GHEC), and the complexity of its environment, spanning multiple languages, only raised the stakes.

The company approached Modus Create to help validate GHAS. But there was a caveat. Due to security policies, our engineers couldn’t access the source code directly. This meant we needed a consultative, knowledge-transfer model rather than a hands-on engagement.

Solution

Phased GHAS rollout at scale

Our GHAS expert and security DevOps engineer joined the team to build a multi-phase enablement plan for GHAS adoption. The approach combined fixed cadences (office hours, training blocks) with on-demand Slack support so progress never stalled, even across time zones.

Phase 1: Groundwork & initial analysis

The sprint began with a structured discovery effort. We confirmed each language in use, flagged repositories not in scope (such as markdown-only documents), and identified high-priority repositories that needed to be addressed first. The team rolled out Default CodeQL in parallel across teams, allowing engineering leads to audit results and identify repositories that required custom configuration. This allowed us to group repositories with issues together.

Phase 2: Building GHAS Actions templates for initial batches

While analysis was still underway, the team began building reusable GHAS Actions templates for C# and TypeScript, the most common languages in the company environment. For Java, the work included custom GitHub Actions and supporting the adoption of private registries. The team shared all outputs in real-time via Slack, office hours, and ad hoc syncs to keep the project moving.

Phase 3: Polyglot repositories & monorepos

With the initial batches complete, the team turned to more complex repo types.

• Polyglot repositories: We reviewed earlier CodeQL deployments, confirmed which detected languages needed scanning, and built custom YAML files for valid combinations (pushed via API or pull requests). Any remaining issues were fixed in the custom configuration and redeployed, using a must-be-ready list to guide priorities. This process was repeated across all language combinations.
• Monorepos: For repositories with multiple languages and projects, we developed a custom CodeQL advanced config, stored the custom YAML config in GitHub, and resolved issues through iterative fixes. The goal was to have a single CodeQL YAML file that would cover monorepos.

Phase 4: Edge cases & troubleshooting

The toughest blocker was the recurring “Low C# analysis quality” warning. Working alongside GitHub engineering, we cycled through autobuild, manual, and none build modes, restored NuGet packages in CI, and validated the new central solution file. Once dependencies were resolved consistently, scan completeness spiked, and the warning cleared. We then outlined how to surface alert counts, false-positive rates, and scan-quality percentages via the GitHub API and visualize them in Power BI, giving leadership a live security dashboard.

By the close of week four, the company’s team could run accurate CodeQL, secret-scanning, and Dependabot checks across target repositories, confident they could expand GHAS unaided during the full rollout.

Phase 5: Role-based training

We didn’t treat enablement as a checkbox. The team designed hands-on sessions tailored to each audience:

• security leads focused on policy and metrics
• developers practiced scan triage and remediation
• engineering managers explored advanced CodeQL and pipeline integration

Every asset was built for reuse, allowing the company to internalize the process and train future teams.

Impact

A secure, enhanced developer environment

The company didn’t just switch platforms. It used the move to GHAS to streamline security workflows, reduce developer friction, and drive faster, more confident decision-making across teams. This resulted in:

• Unified security workflow: GHAS now runs natively across the company’s CI/CD pipelines. CodeQL, GHAS secret scanning (detecting leaked credentials), and Dependabot alerts are triggered automatically on every pull request and release branch, delivering real-time feedback without interrupting developer flow.
• Secret scanning at commit time: The company now uses GHAS secret scanning to block hard-coded credentials before they’re ever merged.
• Faster triage, fewer false positives: Engineers reported improved alert quality and quicker issue resolution. With GHAS integrated into existing workflows and tailored training delivered across teams, developers spend less time sorting signals from noise.
• Enablement plan delivered in four weeks: In just one sprint, the team resolved persistent scan quality issues, integrated GHAS into multi-language pipelines, and built a live Power BI dashboard using the GitHub API to monitor security posture.
• Executive alignment and full rollout approval: The engagement gave leadership the clarity they needed with better visibility, broader coverage, and stronger security ownership across teams. That traction led to a company-wide GHAS rollout.

With GHAS now fully embedded, the company is scaling coverage across all active repositories, continuing enablement for new teams, and using real-time metrics to drive continuous improvement.

This engagement succeeded because the company approached it with clarity, urgency, and a strong drive for excellence. Its engineering and security teams set the pace and proved what’s possible when the right vision meets the right tools.