You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
-[Configuring notifications for dependabot alerts](https://docs.github.com/en/free-pro-team@latest/github/managing-security-vulnerabilities/configuring-notifications-for-vulnerable-dependencies#configuring-notifications-for-dependabot-alerts)
81
+
-[Configuring notifications for Dependabot alerts](https://docs.github.com/en/free-pro-team@latest/github/managing-security-vulnerabilities/configuring-notifications-for-vulnerable-dependencies#configuring-notifications-for-dependabot-alerts)
-[Configuration options for the dependabot.yml file](https://docs.github.com/en/free-pro-team@latest/github/administering-a-repository/configuration-options-for-dependency-updates)
-[Troubleshooting the CodeQL workflow](https://docs.github.com/en/free-pro-team@latest/github/finding-security-vulnerabilities-and-errors-in-your-code/troubleshooting-the-codeql-workflow)
Dependabot can be enabled in the settings of an organization or a repository.
15
15
16
-
1. Go to the repository settings and enable Dependabot alerts in the *Security & analysis* section. You will be prompted to enable the Dependency Graph if it's not enabled already.
16
+
- Go to the repository settings and enable Dependabot alerts in the `Code security and analysis` section. You will be prompted to enable the dependency graph if it's not enabled already.
17
17
18
18
#### Reviewing the dependency graph
19
19
Dependabot uses the dependency graph to determine which dependencies are used by your project.
20
20
21
-
1. Verify in the dependency graph that it found dependencies for:
21
+
- Verify in the dependency graph that it found dependencies for:
22
22
- The frontend service.
23
23
- The authentication service.
24
24
- The gallery service.
25
25
- The storage service.
26
26
27
-
The dependency graph can be access in the `Insights` tab in your repository.
27
+
The dependency graph can be accessed from the `Insights` tab in your repository.
28
28
29
29
#### Viewing and managing results
30
30
31
-
After a few minutes, the security tab in the repository will indicate that there are new security alerts. You will see a "Create a security update" button; if this button is clicked, it will create a Pull Request to update the vulnerable dependency. The next section will show you how to enable security updates for all applicable Dependabot alerts.
31
+
After a few minutes, the `Security` tab in the repository will indicate that there are new security alerts. You will see a **Create a security update** button; click this button to create a pull request (PR) to update the vulnerable dependency. The next section will show you how to enable security updates for all applicable Dependabot alerts.
32
32
33
33
**Note**: If this not the case, we can trigger an analysis by updating `authn-service/requirements.txt`
34
34
35
35
1. Go to the Dependabot alert section to view the detected dependency issues.
36
36
37
37
For each dependency alert, we have the option to create a security update or to dismiss the alert with a reason.
38
38
39
-
2. For one of the alerts create a dependency security update. If Dependabot can update the dependency automatically, it will create a PR.
39
+
2. For one of the alerts, create a dependency security update. If Dependabot can update the dependency automatically, it will create a PR.
40
40
41
-
3. For one of the alerts dimiss the alert.
41
+
3. For one of the alerts, dimiss the alert.
42
42
43
43
#### Enabling Dependabot security updates
44
44
45
-
Dependabot can automatically create PRs to upgrade vulnerable dependencies to non-vulnerable versions. Please note that there may be some Dependabot alerts that don't have patch; therefore, a security update is not available.
45
+
Dependabot can automatically create PRs to upgrade vulnerable dependencies to non-vulnerable versions. Please note that there may be some Dependabot alerts that don't have patches. In those cases, a security update is not available.
46
46
47
-
1. Go to the repository settings and enable Dependabot security updates in the *Security & analysis* section.
47
+
- Go to the repository settings and enable Dependabot security updates in the *Code security & analysis* section.
48
48
49
49
After a few minutes multiple PRs will be created that will upgrade vulnerable dependencies.
50
50
@@ -55,18 +55,18 @@ You can enable Dependabot [*version updates*](https://docs.github.com/en/code-se
55
55
- When version updates are created.
56
56
- What labels are assigned to enable filtering options.
57
57
- Who is assigned to the PR and who should review it.
58
-
-Specify which dependencies are updated and how they are updated.
58
+
-Which dependencies are updated and how they are updated.
59
59
60
-
Create the file `.github/dependabot.yml` in your repository and configure the `pip` dependency manager to:
61
-
1. Look for dependency information in the directory `authn-service`.
60
+
Create the `.github/dependabot.yml` file in your repository and configure the `pip` dependency manager to:
61
+
1. Look for dependency information in the `authn-service` directory.
62
62
63
63
2. Schedule daily version updates.
64
64
65
-
3. Prefix the commit message with the package manager `pip`.
65
+
3. Prefix the commit message with the `pip` package manager.
66
66
67
-
4. Assign the PR to yourself and a person from your workshop team as a reviewer. When specifying GitHub handles in the yml, do so without the `@` symbol. Please see below solution as an example.
67
+
4. Assign the PR to yourself and a person from your workshop team as a reviewer. When specifying GitHub handles in the yml, do so without the `@` symbol. Please see the following solution as an example.
68
68
69
-
5. Add the custom label `triage-required` to enable filtering of the PRs (Make sure the label exists by adding it to `https://github.com/<owner>/<your repo>/labels`).
69
+
5. Add the custom label `triage-required` to enable filtering of the PRs.
70
70
71
71
6. Verify your changes by adding a [vulnerable dependency](https://github.com/advisories?query=severity%3Ahigh+ecosystem%3Apip) to `auth-service/requirements.txt`. For example:
72
72
@@ -79,7 +79,7 @@ How would you know if the configuration cannot be satisfied?
79
79
80
80
1. Add a non-existing label to the configuration.
81
81
82
-
2. Trigger a new dependabot security update by adding a vulnerable dependency to one of the projects
82
+
2. Trigger a new dependabot security update by adding a vulnerable dependency to one of the projects.
83
83
For example, we can add the dependency `django-two-factor-auth==1.11` to `auth-service/requirements.txt`
84
84
85
85
3. Look at the created PR to determine if the configuration has been satisfied.
@@ -109,15 +109,15 @@ updates:
109
109
110
110
#### Working with Dependency Review
111
111
112
-
If a Pull Request has dependency changes, you can [review](https://docs.github.com/en/github/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/reviewing-dependency-changes-in-a-pull-request) them and see if there are known vulnerabilities with the dependency changes.
112
+
If a PR has dependency changes, you can [review](https://docs.github.com/en/github/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/reviewing-dependency-changes-in-a-pull-request) them and see if there are known vulnerabilities with the dependency changes.
113
113
114
114
1. Add a vulnerable dependency to `auth-service/requirements.txt` and commit to a new branch. For example, here's a vulnerable dependency:
115
115
116
116
```requirements.txt
117
117
...
118
118
django-piston==0.2.0
119
119
```
120
-
2. Create a Pull Request, and click on `Files changed`.
120
+
2. Create a PR, and click on `Files changed`.
121
121
3. Click on the `Display the rich diff` button on the `requirements.txt` file to review dependency changes.
122
122
123
123
💡**Now that we're familiar with Dependabot, let's head over to the secret scanning section, and learn more about it! [Click here](lab%202%20-%20secret-scanning.md).** 💡
Copy file name to clipboardExpand all lines: exercises/lab 2 - secret-scanning.md
+12-12Lines changed: 12 additions & 12 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -8,24 +8,24 @@
8
8
-[Excluding files from secret scanning](#excluding-files-from-secret-scanning)
9
9
-[Managing access to alerts](#managing-access-to-alerts)
10
10
11
-
### _**Practical Exercise 2**_
11
+
### _**Lab 2**_
12
12
13
13
#### Enabling secret scanning
14
14
Secret scanning can be enabled in the settings of an organization or a repository.
15
15
16
-
1. Go to the repository settings and enable secret scanning in the *Security & analysis* section.
16
+
1. Go to the repository settings and enable secret scanning in the `Code security and analysis` section.
17
17
18
18
#### Viewing and managing results
19
-
After a few minutes, the security tab in the repository will indicate that there are new security alerts.
19
+
After a few minutes, the `Security` tab in the repository will indicate that there are new security alerts.
20
20
21
-
1. Go to the secret scanning section to view the detected secrets.
21
+
- Go to the `Secret scanning` section to view the detected secrets.
22
22
23
23
For each secret, look at the options to close it and determine which one is most suitable.
24
24
25
25
#### Introducing a test secret
26
-
When developing test cases it might be the case that secrets are introduced that cannot be abused when disclosed. Secret scanning will still detect and alert on these secrets.
26
+
When developing test cases, you might find that secrets are introduced that cannot be abused when disclosed. Secret scanning will still detect and alert on these secrets.
27
27
28
-
1. In the GitHub repository file explorer create a test file that will contain a test secret.
28
+
1. In the GitHub repository file explorer, create a test file that contains a test secret.
29
29
- For example the file `storage-service/src/main/resources/application.dev.properties` with the secrets
30
30
```
31
31
AWS_ACCESS_KEY_ID="AKIAZBQE345LKPTEAHQD"
@@ -68,9 +68,9 @@ While we can close a detected secret as being used in a test, we can also config
68
68
```
69
69
70
70
#### Custom patterns for secret scanning
71
-
Secret scanning supports finding other [secret patterns](https://docs.github.com/en/code-security/secret-security/defining-custom-patterns-for-secret-scanning), which are specified by regex patterns and uses the Hyperscan library.
71
+
Secret scanning supports finding other [secret patterns](https://docs.github.com/en/code-security/secret-security/defining-custom-patterns-for-secret-scanning), which are specified by regex patterns and use the Hyperscan library.
72
72
73
-
1. Add a custom secret pattern by going to the Security and Analysis settings and under the header "Custom patterns" click on `New pattern`.
73
+
1. Add a custom secret pattern by going to the `Code security and analysis` settings and under the header "Custom patterns" click on `New pattern`.
74
74
2. Add a custom pattern name, a secret format and test cases.
Due to the nature of secrets, the alerts are only visible to organization and repository administrators.
86
-
Access to other members and teams can be given in the `Security & analysis` setting.
86
+
Access to other members and teams can be given in the `Code security and analysis` setting.
87
87
88
-
**Note:** The member or teams requires write privileges before access to alerts can be given.
88
+
**Note:** The member or teams require write privileges before access to alerts can be given.
89
89
90
-
1. In the access to alerts section, add another team member or team to provide access to your repository alerts.
90
+
- In the `Access to alerts` section, add another team member or team to provide access to your repository alerts.
91
91
92
92
93
-
💡**Now that we're familiar with secret scanning, let's head over to the code scanning section, and learn more about it! [Click here](lab%203%20-%20code-scanning.md).** 💡
93
+
💡**Now that we're familiar with secret scanning, let's head over to the code scanning section, and learn more about it!** 💡
-[Adding your own code scanning suite to exclude rules](#adding-your-own-code-scanning-suite-to-exclude-rules)
14
14
15
-
### _**Practical Exercise 3**_
15
+
### _**Lab 3**_
16
16
17
17
#### Enabling code scanning
18
18
19
-
1.Go to the `Code scanning alerts` section in the `Security` tab.
19
+
1.On the `Security` tab, in the **Vulnerability alerts** section, click **Code scanning**, and then click the **Configure CodeQL alerts** button.
20
20
21
-
2.Start the `Set up this workflow` step in the `CodeQL Analysis` card.
21
+
2.Review the created Action workflow file `codeql-analysis.yml` and choose `Start commit` to accept the default proposed workflow.
22
22
23
-
3. Review the created Action workflow file `codeql-analysis.yml` and choose `Start commit` to accept the default proposed workflow.
24
-
25
-
4. Head over to the `Actions` tab to see the created workflow in action. Click on the workflow to view details and status for each analysis job.
23
+
3. Head over to the `Actions` tab to see the created workflow in action. Click on the workflow to view details and status for each analysis job.
26
24
27
25
28
26
#### Reviewing any failed analysis job
29
27
30
-
CodeQL requires a build of compiled languages, and an analysis job can fail if our *autobuilder* is unable to build a program to extract an analysis database.
28
+
CodeQL requires a build of compiled languages. An analysis job can fail if our *autobuilder* is unable to build a program to extract an analysis database.
31
29
32
-
1. Inside the workflow you'll see a list of jobs on the left. Click on the Java job to view the logging output and review any errors to determine if there's a build failure.
30
+
1. Inside the workflow you'll see a list of jobs on the left. Click on the Java job to view the logging output and review any errors to determine if there's a build failure.
33
31
34
32
2. The build failure appears to be caused by a JDK version mismatch. Our project targets JDK version 15. How can we check the Java version that the GitHub hosted runner is using? Does the logging output provide any helpful information?
35
33
@@ -76,7 +74,7 @@ How would you [modify](https://docs.github.com/en/free-pro-team@latest/actions/r
76
74
77
75
#### Reviewing and managing results
78
76
79
-
1. Go to the `Code scanning results` in the `Security` tab.
77
+
1. On the `Security` tab, view the `Code scanning alerts`.
80
78
81
79
2. For a result, determine:
82
80
1. The issue reported.
@@ -102,17 +100,17 @@ Follow the next steps to see it in action.
102
100
```
103
101
2. Is the vulnerability detected in your PR?
104
102
105
-
3. You can also configure the check failures for Code Scanning. Go into the `Security & Analysis` settings and modify the Check Failures. Set it to `Only critical/ Only errors` and see how that affects the code scanning status check for subsequent PR checks. In the next steps, you will be enabling additional query suites that have other severity types.
103
+
3. You can also configure the check failures for code scanning. Go into the `Code security and analysis` settings and modify the Check Failures. Set it to `Only critical/ Only errors` and see how that affects the code scanning status check for subsequent PR checks. In the next steps, you will be enabling additional query suites that have other severity types.
If you have identified a false positive, how would you deal with that? What if this is a common pattern within your applications?
110
108
111
109
#### _Stretch Exercise 2: Enabling code scanning on your own repository_
112
110
113
-
So far you've learned how to enable secret scanning, Dependabot and code scanning. Try enabling this on your own repository, and see what kind of results you get!
111
+
So far you've learned how to enable Dependabot, secret scanning, and code scanning. Try enabling this on your own repository, and see what kind of results you get!
114
112
115
-
### _**Practical Exercise 4**_
113
+
### _**Lab 4**_
116
114
117
115
#### Customizing CodeQL Configuration
118
116
@@ -211,7 +209,7 @@ queries:
211
209
```
212
210
</details>
213
211
214
-
5. Try specifying directories to scan or not to scan. Why would you include this in the configuration?
212
+
5. Try specifying directories to scan or not to scan. Note that this is only supported for interpreted languages, such as javascript/typescript, python, ruby, etc. Why would you include this in the configuration?
0 commit comments