Fix typos

feaselkl · feaselkl · commit 1de0b1083880 · 2024-08-29T00:10:51.000-04:00
diff --git a/Solution/Exercise-03/Task-3/dotnet-deploy-2.yml b/Solution/Exercise-03/Task-3/dotnet-deploy-2.yml
@@ -1,63 +1,63 @@
-name: .NET CI
-
-env:
-  registryName: {your_registry_name}.azurecr.io
-  repositoryName: techexcel/dotnetcoreapp
-  dockerFolderPath: ./Application/src/RazorPagesTestSample
-  tag: ${{github.run_number}}
-  
-on:
-  push:
-    branches: [ main ]
-    paths: src/Application/**
-  pull_request:
-    branches: [ main ]
-    paths: src/Application/**
-  # Allows you to run this workflow manually from the Actions tab
-  workflow_dispatch:
-jobs:
-  build:
-
-    runs-on: ubuntu-latest
-
-    steps:
-    - uses: actions/checkout@v3
-    - name: Setup .NET
-      uses: actions/setup-dotnet@v3
-      with:
-        dotnet-version: 8.0
-    
-    - name: Restore dependencies
-      run: dotnet restore ./src/Application/src/RazorPagesTestSample/RazorPagesTestSample.csproj
-    - name: Build
-      run: dotnet build --no-restore ./src/Application/src/RazorPagesTestSample/RazorPagesTestSample.csproj
-    - name: Test
-      run: dotnet test --no-build --verbosity normal ./src/Application/tests/RazorPagesTestSample.Tests/RazorPagesTestSample.Tests.csproj
-      
-  dockerBuildPush:
-    
-    runs-on: ubuntu-latest
-    needs: build
-
-    steps:
-    - uses: actions/checkout@v3
-    
-    - name: Docker Login
-      # You may pin to the exact commit or the version.
-      # uses: docker/login-action@28218f9b04b4f3f62068d7b6ce6ca5b26e35336c
-      uses: docker/login-action@v1.9.0
-      with:
-        # Server address of Docker registry. If not set then will default to Docker Hub
-        registry: ${{ secrets.ACR_LOGIN_SERVER }}
-        # Username used to log against the Docker registry
-        username: ${{ secrets.ACR_USERNAME }}
-        # Password or personal access token used to log against the Docker registry
-        password: ${{ secrets.ACR_PASSWORD }}
-        # Log out from the Docker registry at the end of a job
-        logout: true
-        
-    - name: Docker Build
-      run: docker build -t $registryName/$repositoryName:$tag --build-arg build_version=$tag $dockerFolderPath
-      
-    - name: Docker Push
-      run: docker push $registryName/$repositoryName:$tag
+name: .NET CI
+
+env:
+  registryName: {your_registry_name}.azurecr.io
+  repositoryName: techexcel/dotnetcoreapp
+  dockerFolderPath: ./src/Application/src/RazorPagesTestSample
+  tag: ${{github.run_number}}
+  
+on:
+  push:
+    branches: [ main ]
+    paths: src/Application/**
+  pull_request:
+    branches: [ main ]
+    paths: src/Application/**
+  # Allows you to run this workflow manually from the Actions tab
+  workflow_dispatch:
+jobs:
+  build:
+
+    runs-on: ubuntu-latest
+
+    steps:
+    - uses: actions/checkout@v3
+    - name: Setup .NET
+      uses: actions/setup-dotnet@v3
+      with:
+        dotnet-version: 8.0
+    
+    - name: Restore dependencies
+      run: dotnet restore ./src/Application/src/RazorPagesTestSample/RazorPagesTestSample.csproj
+    - name: Build
+      run: dotnet build --no-restore ./src/Application/src/RazorPagesTestSample/RazorPagesTestSample.csproj
+    - name: Test
+      run: dotnet test --no-build --verbosity normal ./src/Application/tests/RazorPagesTestSample.Tests/RazorPagesTestSample.Tests.csproj
+      
+  dockerBuildPush:
+    
+    runs-on: ubuntu-latest
+    needs: build
+
+    steps:
+    - uses: actions/checkout@v3
+    
+    - name: Docker Login
+      # You may pin to the exact commit or the version.
+      # uses: docker/login-action@28218f9b04b4f3f62068d7b6ce6ca5b26e35336c
+      uses: docker/login-action@v1.9.0
+      with:
+        # Server address of Docker registry. If not set then will default to Docker Hub
+        registry: ${{ secrets.ACR_LOGIN_SERVER }}
+        # Username used to log against the Docker registry
+        username: ${{ secrets.ACR_USERNAME }}
+        # Password or personal access token used to log against the Docker registry
+        password: ${{ secrets.ACR_PASSWORD }}
+        # Log out from the Docker registry at the end of a job
+        logout: true
+        
+    - name: Docker Build
+      run: docker build -t $registryName/$repositoryName:$tag --build-arg build_version=$tag $dockerFolderPath
+      
+    - name: Docker Push
+      run: docker push $registryName/$repositoryName:$tag
diff --git a/docs/04_make_things_secure/0401.md b/docs/04_make_things_secure/0401.md
@@ -1,103 +1,103 @@
----
-title: '1. Implement GitHub Advanced Security'
-layout: default
-nav_order: 1
-parent: 'Exercise 04: Make things secure'
----
-
-# Task 01 - Implement GitHub Advanced Security (20 minutes)
-
-## Introduction
-
-The Munson's Pickles and Preserves Team Messaging System is up and running! They even have a proper Git Flow to protect against unintended changes to the main branch, and are recording application telemetry into App Insights. Before we are truly production-ready, though, there is one topic we have to cover: security.
-
-One good DevOps practice is to enable protections against code-level vulnerabilities, and GitHub provides a number of useful features in this area. First, there are Issues, which allow developers or users to open 'tickets' indicating bugs to be fixed or potential vulnerabilities. If your organization prefers security flaws to be reported in a location other than GitHub, you have the option to provide a custom Security policy which describes the process for reporting.
-
-In addition to these manual processes, GitHub also provides automated tools for scanning code for common errors. In this task, you will utilize the built-in Dependabot, which provides alerts if your repository contains libraries, packages, or external dependencies with known vulnerabilities. You will also set up a workflow with CodeQL, which can scan your source code for common coding errors or basic security flaws. This will help to ensure that the Team Messaging System contains code without any known vulnerabilities.
-
-## Description
-
-In this task, you will enable some of GitHub's built-in tools for securing code in repositories.
-
-1. Ask GitHub Copilot, "What do I need in a GitHub repository's security file?"
-2. Find the repository's Security policy. If there is an existing policy, make an edit using GithUb Copilot and merge your change back into the main branch. Otherwise, create a policy using the template provided and GitHub Copilot. GitHub Security policies are Markdown documents that indicate the preferred way to report security vulnerabilities for the repository.
-3. Ask GitHub Copilot, "How do I enable Dependabot alerts on a GitHub repository?" Then, enable Dependabot alerts for the repository. Dependabot is an automated tool that creates a pull request when any dependencies in the code base has a known vulnerability.
-4. Ask GitHub Copilot, "How do I create a code scanning workflow in a GitHub repository?" After that, set up and run a Code scanning workflow for the repository using GitHub's 'CodeQL Analysis.' This workflow can run either on each pull request or on a schedule, and it checks your code for common vulnerabilities or errors.
-5. Ask GitHub Copilot, "How can I view the results of a CodeQL analysis in GitHub?" Then, navigate to the results. The next task will cover reviewing and correcting any issues you find.
-6. Ask GitHub Copilot, "How do I enable secret scanning on a GitHub repository?" Then, enable secret scanning and push protection on the repository.
-
-## Success Criteria
-
-- The **Security** page for your GitHub repository shows that Dependabot alerts, Code scanning alerts, and Secret scanning alerts are all enabled.
-- You have one Dependabot alert, one Code scanning alert, and one Secret scanning alert.
-
-## Learning Resources
-
-- [Learn more about adding a security policy to your repository](https://docs.github.com/en/github/managing-security-vulnerabilities/adding-a-security-policy-to-your-repository).
-- [Learn more about Dependabot and vulnerable dependencies](https://docs.github.com/en/github/managing-security-vulnerabilities/managing-vulnerabilities-in-your-projects-dependencies).
-- [Learn more about automated code scanning and understanding results](https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code).
-
-## Tips
-
-- If you are stuck, check out the **Security** tab of your repository on GitHub.
-
-## Solution
-
-<details markdown="block">
-<summary>Expand this section to view the solution</summary>
-
-1. Select **Settings** in your repo, then **Code security and analysis**. Select **Enable** on "Dependabot alerts" and "Dependabot security updates."
-
-    ![Enabled Dependabot alerts and security updates](../../Media/EnableDependabot.png)
-
-    **Note** This will also automatically enable "Dependency graph."
-2. Navigate to [https://github.com/electron/electron/blob/main/SECURITY.md](https://github.com/electron/electron/blob/main/SECURITY.md) for information about security policies. This is an example of a sample security policy that you could use for this exercise.
-3. In your GitHub repo, select **Security**, **Policy**, and **Start setup**
-
-   ![Start the security policy setup](../../Media/StartSecurityPolicySetup.png)
-
-4. Paste the security policy into the Markdown file (you can overwrite what is there now) and update it for the Munson's Pickles and Preserves Team Messaging System and the GitHub repo your code is in. Then, commit the changes to the main branch.
-
-   ![Commit the updated security policy](../../Media/CommitSecurityPolicy.png)
-
-5. Next, we need to enable CodeQL. Select **Settings** and then **Code security and analysis**.
-6. Scroll down if needed and select **Set up** in "Code scanning" for "CodeQL analysis."
-
-    ![Setup CodeQL analysis](../../Media/CodeQLAnalysisSetup.png)
-
-7. If you select "Default", the code scan will immediately be run. For this exercise, select **Advanced**.
-
-    ![Select Default](../../Media/CodeQLAdvanced.png)
-
-8. By choosing the advanced option, you can see the YAML for the pipeline that actually performs the code check. We don't need to make any changes here, but it's something you should be familiar with. An easy change to make in this file would be if you want to adjust the schedule of when the scan runs. Use GitHub Copilot to assist you with making any change.
-
-    ![Commit the CodeQL YAML](../../Media/CodeQLYAMLCommit.png)
-
-    After you've reviewed the YAML, commit the change to main.
-
-    ![Commit the change](../../Media/CodeQLCommitChange.png)
-
-9. After you've committed the change, select **Actions** and you should see your CodeQL Scan workflow running.
-
-    ![CodeQL scan running](../../Media/CodeQLScanRunning.png)
-
-10. After about 5 minutes, you should see the workflow has completed.
-
-    ![Workflow complete](../../Media/CodeQLWorkflowComplete.png)
-
-11. After it's complete, go back to **Settings** and **Code security and analysis**. Then, select the ellipsis **...** next to the "Set up" menu. From the ellipsis dropdown, explore each of the first two options: "View last scan log" and "View Code Scanning alerts." You will find one High-risk vulnerability around arbitrary file access during archive extraction.
-
-    {: .note }
-    > This page will still show "Set up" because we chose the Advanced option instead of Basic.
-
-    ![View code scanning results](../../Media/CodeQLViewResults.png)
-
-12. Return to the **Settings** menu and select **Code security and analysis**. Navigate to the bottom of the page and select the **Enable** button for Secret scanning.
-
-    ![Enable secret scanning](../../Media/0401_SecretScanning.png)
-
-    Once you have enabled secret scanning, you will be able to enable a second option for Push protection.
-
-    ![Enable push protection](../../Media/0401_PushProtection.png)
-
-</details>
+---
+title: '1. Implement GitHub Advanced Security'
+layout: default
+nav_order: 1
+parent: 'Exercise 04: Make things secure'
+---
+
+# Task 01 - Implement GitHub Advanced Security (20 minutes)
+
+## Introduction
+
+The Munson's Pickles and Preserves Team Messaging System is up and running! They even have a proper Git Flow to protect against unintended changes to the main branch, and are recording application telemetry into App Insights. Before we are truly production-ready, though, there is one topic we have to cover: security.
+
+One good DevOps practice is to enable protections against code-level vulnerabilities, and GitHub provides a number of useful features in this area. First, there are Issues, which allow developers or users to open 'tickets' indicating bugs to be fixed or potential vulnerabilities. If your organization prefers security flaws to be reported in a location other than GitHub, you have the option to provide a custom Security policy which describes the process for reporting.
+
+In addition to these manual processes, GitHub also provides automated tools for scanning code for common errors. In this task, you will utilize the built-in Dependabot, which provides alerts if your repository contains libraries, packages, or external dependencies with known vulnerabilities. You will also set up a workflow with CodeQL, which can scan your source code for common coding errors or basic security flaws. This will help to ensure that the Team Messaging System contains code without any known vulnerabilities.
+
+## Description
+
+In this task, you will enable some of GitHub's built-in tools for securing code in repositories.
+
+1. Ask GitHub Copilot, "What do I need in a GitHub repository's security file?"
+2. Find the repository's Security policy. If there is an existing policy, make an edit using GitHub Copilot and merge your change back into the main branch. Otherwise, create a policy using the template provided and GitHub Copilot. GitHub Security policies are Markdown documents that indicate the preferred way to report security vulnerabilities for the repository.
+3. Ask GitHub Copilot, "How do I enable Dependabot alerts on a GitHub repository?" Then, enable Dependabot alerts for the repository. Dependabot is an automated tool that creates a pull request when any dependencies in the code base has a known vulnerability.
+4. Ask GitHub Copilot, "How do I create a code scanning workflow in a GitHub repository?" After that, set up and run a Code scanning workflow for the repository using GitHub's 'CodeQL Analysis.' This workflow can run either on each pull request or on a schedule, and it checks your code for common vulnerabilities or errors.
+5. Ask GitHub Copilot, "How can I view the results of a CodeQL analysis in GitHub?" Then, navigate to the results. The next task will cover reviewing and correcting any issues you find.
+6. Ask GitHub Copilot, "How do I enable secret scanning on a GitHub repository?" Then, enable secret scanning and push protection on the repository.
+
+## Success Criteria
+
+- The **Security** page for your GitHub repository shows that Dependabot alerts, Code scanning alerts, and Secret scanning alerts are all enabled.
+- You have one Dependabot alert, one Code scanning alert, and one Secret scanning alert.
+
+## Learning Resources
+
+- [Learn more about adding a security policy to your repository](https://docs.github.com/en/github/managing-security-vulnerabilities/adding-a-security-policy-to-your-repository).
+- [Learn more about Dependabot and vulnerable dependencies](https://docs.github.com/en/github/managing-security-vulnerabilities/managing-vulnerabilities-in-your-projects-dependencies).
+- [Learn more about automated code scanning and understanding results](https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code).
+
+## Tips
+
+- If you are stuck, check out the **Security** tab of your repository on GitHub.
+
+## Solution
+
+<details markdown="block">
+<summary>Expand this section to view the solution</summary>
+
+1. Select **Settings** in your repo, then **Code security and analysis**. Select **Enable** on "Dependabot alerts" and "Dependabot security updates."
+
+    ![Enabled Dependabot alerts and security updates](../../Media/EnableDependabot.png)
+
+    **Note** This will also automatically enable "Dependency graph."
+2. Navigate to [https://github.com/electron/electron/blob/main/SECURITY.md](https://github.com/electron/electron/blob/main/SECURITY.md) for information about security policies. This is an example of a sample security policy that you could use for this exercise.
+3. In your GitHub repo, select **Security**, **Policy**, and **Start setup**
+
+   ![Start the security policy setup](../../Media/StartSecurityPolicySetup.png)
+
+4. Paste the security policy into the Markdown file (you can overwrite what is there now) and update it for the Munson's Pickles and Preserves Team Messaging System and the GitHub repo your code is in. Then, commit the changes to the main branch.
+
+   ![Commit the updated security policy](../../Media/CommitSecurityPolicy.png)
+
+5. Next, we need to enable CodeQL. Select **Settings** and then **Code security and analysis**.
+6. Scroll down if needed and select **Set up** in "Code scanning" for "CodeQL analysis."
+
+    ![Setup CodeQL analysis](../../Media/CodeQLAnalysisSetup.png)
+
+7. If you select "Default", the code scan will immediately be run. For this exercise, select **Advanced**.
+
+    ![Select Default](../../Media/CodeQLAdvanced.png)
+
+8. By choosing the advanced option, you can see the YAML for the pipeline that actually performs the code check. We don't need to make any changes here, but it's something you should be familiar with. An easy change to make in this file would be if you want to adjust the schedule of when the scan runs. Use GitHub Copilot to assist you with making any change.
+
+    ![Commit the CodeQL YAML](../../Media/CodeQLYAMLCommit.png)
+
+    After you've reviewed the YAML, commit the change to main.
+
+    ![Commit the change](../../Media/CodeQLCommitChange.png)
+
+9. After you've committed the change, select **Actions** and you should see your CodeQL Scan workflow running.
+
+    ![CodeQL scan running](../../Media/CodeQLScanRunning.png)
+
+10. After about 5 minutes, you should see the workflow has completed.
+
+    ![Workflow complete](../../Media/CodeQLWorkflowComplete.png)
+
+11. After it's complete, go back to **Settings** and **Code security and analysis**. Then, select the ellipsis **...** next to the "Set up" menu. From the ellipsis dropdown, explore each of the first two options: "View last scan log" and "View Code Scanning alerts." You will find one High-risk vulnerability around arbitrary file access during archive extraction.
+
+    {: .note }
+    > This page will still show "Set up" because we chose the Advanced option instead of Basic.
+
+    ![View code scanning results](../../Media/CodeQLViewResults.png)
+
+12. Return to the **Settings** menu and select **Code security and analysis**. Navigate to the bottom of the page and select the **Enable** button for Secret scanning.
+
+    ![Enable secret scanning](../../Media/0401_SecretScanning.png)
+
+    Once you have enabled secret scanning, you will be able to enable a second option for Push protection.
+
+    ![Enable push protection](../../Media/0401_PushProtection.png)
+
+</details>
