Merge pull request #49928 from ShawnKupfer/WB1743

AB#1044022: Maintain a secure repository by using GitHub best practices

Author: v-ccolin

learn-pr/github/maintain-secure-repository-github/1-introduction.yml

@@ -4,7 +4,7 @@ title: Introduction
 metadata:
   title: Introduction
   description: Learn how to maintain a secure GitHub repository.
-  ms.date: 04/22/2024
+  ms.date: 04/09/2025
   author: a-a-ron
   ms.author: aastewar
   ms.topic: unit

learn-pr/github/maintain-secure-repository-github/2-how-to-maintain-secure-repository.yml

@@ -4,7 +4,7 @@ title: How to maintain a secure GitHub repository
 metadata:
   title: How to maintain a secure GitHub repository
   description: Learn best practices for maintaining a secure GitHub repository.
-  ms.date: 04/22/2024
+  ms.date: 04/09/2025
   author: a-a-ron
   ms.author: aastewar
   ms.topic: unit

learn-pr/github/maintain-secure-repository-github/3-security-automation.yml

@@ -4,7 +4,7 @@ title: Automated security
 metadata:
   title: Automated security
   description: Learn about automated security features within GitHub.
-  ms.date: 04/22/2024
+  ms.date: 04/09/2025
   author: a-a-ron
   ms.author: aastewar
   ms.topic: unit

learn-pr/github/maintain-secure-repository-github/3-security-strategy-essentials.yml

@@ -4,7 +4,7 @@ title:  Exercise - Secure your repository's supply chain
 metadata:
   title:  Exercise - Secure your repository's supply chain
   description: Learn to build, host, and maintain a secure repository on GitHub.
-  ms.date: 04/22/2024
+  ms.date: 04/09/2025
   author: a-a-ron
   ms.author: aastewar
   ms.topic: unit

learn-pr/github/maintain-secure-repository-github/4-knowledge-check.yml

@@ -4,7 +4,7 @@ title: Module assessment
 metadata:
   title: Module assessment
   description: Check what you've learned.
-  ms.date: 04/22/2024
+  ms.date: 04/09/2025
   author: a-a-ron
   ms.author: aastewar
   ms.topic: unit
@@ -18,7 +18,7 @@ quiz:
     choices:
     - content: "Configure your package files to always use the latest versions of dependencies."
       isCorrect: false
-      explanation: "This practice is generally a bad idea because it can introduce breaking changes or unexpected behavior in your software."
+      explanation: "This practice is generally a bad idea, because it can introduce breaking changes or unexpected behavior in your software."
     - content: "Check each project's security details closely before adding it to your dependencies by confirming its version status across multiple advisory sites."
       isCorrect: false
       explanation: "Even if this practice helps you start off with a secure version of a given dependency, it won't ensure that you're safe from future vulnerabilities. You would need to constantly monitor every package to ensure compliance, which might be infeasible."

learn-pr/github/maintain-secure-repository-github/5-summary.yml

@@ -4,7 +4,7 @@ title: Summary
 metadata:
   title: Summary
   description: Review what you've learned.
-  ms.date: 04/22/2024
+  ms.date: 04/09/2025
   author: a-a-ron
   ms.author: aastewar
   ms.topic: unit

learn-pr/github/maintain-secure-repository-github/includes/2-how-to-maintain-secure-repository.md

@@ -25,11 +25,11 @@ There are many aspects to building and deploying secure applications. Here are t
 
 Security isn't something you can just add later to an application or a system. Secure development must be part of every stage of the software-development life cycle. This concept is even more important for critical applications and those applications that process sensitive or highly confidential information.
 
-In practice, to hold teams accountable for what they develop, processes need to **shift left**, or be completed earlier, in the development lifecycle. By moving steps from a final gate at deployment time to an earlier step, fewer mistakes are made, and developers can move more quickly.
+In practice, to hold teams accountable for what they develop, processes need to **shift left**, or be completed earlier in the development lifecycle. By moving steps from a final gate at deployment time to an earlier step, fewer mistakes are made, and developers can move more quickly.
 
 Application-security concepts weren't a focus for developers in the past. Apart from the education and training issues, it's because their organizations emphasized fast development of features.
 
-With the introduction of DevOps practices however, security testing is easier to integrate into the pipeline. Rather than being a task performed by security specialists, security testing should just be part of the day-to-day delivery processes.
+However, with the introduction of DevOps practices, security testing is easier to integrate into the pipeline. Rather than being a task performed by security specialists, security testing should just be part of the day-to-day delivery processes.
 
 Overall, when the time for rework is taken into account, adding security to your DevOps practices earlier in the development lifecycle allows development teams to catch issues earlier. Catching issues earlier can actually reduce the overall time it takes to develop quality software.
 
@@ -54,9 +54,6 @@ From the Security tab, you can add features to your GitHub workflow to help avoi
 
 For more information, see [GitHub security features](https://docs.github.com/code-security/getting-started/github-security-features).
 
-> [!NOTE]
-> Dependabot alert advisories for malware are currently in beta and subject to change. Only advisories that have been reviewed by GitHub will trigger Dependabot alerts.
-
 Next, we explore some of these features and learn ways to distribute security and operational responsibilities across all phases of the software-development lifecycle.
 
 ## Communicate a security policy with SECURITY.md
@@ -99,11 +96,11 @@ x86/
 
 Your repository might include multiple `.gitignore` files. Settings are inherited from parent directories, with overriding fields in new `.gitignore` files taking precedence over parent settings for their folders and subfolders. It's significant effort to maintain the root `.gitignore` file, although adding a `.gitignore` file into a project directory can be helpful when that project has specific requirements that are easier to maintain separately from the parent, such as files that should *not* be ignored.
 
-To learn more about `.gitignore`, see [Ignoring files](https://docs.github.com/get-started/getting-started-with-git/ignoring-files). Also check out the collection of starter `.gitignore` files offered for various platforms in the [gitignore repository](https://github.com/github/gitignore).
+To learn more about `.gitignore`, see [Ignoring files](https://docs.github.com/get-started/git-basics/ignoring-files). Also check out the collection of starter `.gitignore` files offered for various platforms in the [gitignore repository](https://github.com/github/gitignore).
 
 ## Remove sensitive data from a repository
 
-While `.gitignore` files can be useful in helping contributors avoid committing sensitive data, it's just a strong suggestion. Developers can still work around it to add files if they're motivated enough, and sometimes files might slip through because they don't meet the `.gitignore` file configuration. Project participants should always be on the lookout for commits that contain data that shouldn't be included in the repository or its history.
+While `.gitignore` files can be useful in helping contributors avoid committing sensitive data, they're just a strong suggestion. Developers can still work around a `.gitignore` file to add files if they're motivated enough, and sometimes files might slip through because they don't meet the `.gitignore` file configuration. Project participants should always be on the lookout for commits that contain data that shouldn't be included in the repository or its history.
 
 > [!IMPORTANT]
 > You should assume that any data committed to GitHub at any point has been compromised. Simply overwriting a commit isn't enough to ensure the data won't be accessible in the future. For the complete guide to removing sensitive data from GitHub, see [Removing sensitive data from a repository](https://docs.github.com/authentication/keeping-your-account-and-data-secure/removing-sensitive-data-from-a-repository).
@@ -114,14 +111,14 @@ You can create a [branch protection rule](https://docs.github.com/repositories/c
 
 You can use the workflows that protect the branch to:
 
-- Run a build to verify the code changes can be built
-- Run a linter to check for typos and conformation to the internal coding conventions
-- Run automated tests to check for any behavior changes of the code
-- And so on
+- Run a build to verify the code changes can be built;
+- Run a linter to check for typos and conformation to the internal coding conventions;
+- Run automated tests to check for any behavior changes of the code;
+- And so on.
 
 ## Add a CODEOWNERS file
 
-By adding a [CODEOWNERS](https://docs.github.com/github/creating-cloning-and-archiving-repositories/creating-a-repository-on-github/about-code-owners#codeowners-syntax) file to your repository, you can assign individual team members or entire teams as code owners to paths in your repository. These code owners are then required for pull-request reviews on any changes to files in a path for which they're configured.
+By adding a [CODEOWNERS](https://docs.github.com/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-code-owners#codeowners-syntax) file to your repository, you can assign individual team members or entire teams as code owners to paths in your repository. These code owners are then required for pull-request reviews on any changes to files in a path for which they're configured.
 
 ```
 # Changes to files with the js extensions need to be reviewed by the js-owner user/group:

learn-pr/github/maintain-secure-repository-github/includes/3-security-automation.md

@@ -14,7 +14,7 @@ For the list of supported dependency manifests, see [About the dependency graph]
 
 ### Dependabot alerts
 
-Even with a visual dependency graph, it can still be overwhelming to stay on top of the latest security considerations for every dependency a project has. To reduce this overhead, GitHub provides [Dependabot alerts](https://docs.github.com/code-security/dependabot/dependabot-alerts/about-dependabot-alerts#dependabot-alerts-for-vulnerable-dependencies) that watch your dependency graphs for you. It then cross-references target versions with versions on known vulnerability lists. When a risk is discovered, the project is alerted. Input for the analysis comes from [GitHub Security Advisories](https://docs.github.com/code-security/security-advisories/working-with-repository-security-advisories/about-repository-security-advisories#dependabot-alerts-for-published-security-advisories).
+Even with a visual dependency graph, it can still be overwhelming to stay on top of the latest security considerations for every dependency a project has. To reduce this overhead, GitHub provides [Dependabot alerts](https://docs.github.com/code-security/dependabot/dependabot-alerts/about-dependabot-alerts) that watch your dependency graphs for you. It then cross-references target versions with versions on known vulnerability lists. When a risk is discovered, the project is alerted. Input for the analysis comes from [GitHub Security Advisories](https://docs.github.com/code-security/security-advisories/working-with-repository-security-advisories/about-repository-security-advisories#dependabot-alerts-for-published-security-advisories).
 
 ![Screenshot of Dependabot alerts for vulnerable dependencies.](../media/2-dependency-alert.png)
 
@@ -34,12 +34,12 @@ You can enable code-scanning alerts and workflows in the security tab of a GitHu
 
 :::image type="content" source="../media/security-overview.png" alt-text="Screenshot of a list of policies, advisories, and alerts with links to more information.":::
 
-Learn more about [Code scanning and CodeQL](https://docs.github.com/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning#about-code-scanning).
+Learn more about [Code scanning and CodeQL](https://docs.github.com/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning).
 
 ### Secret scanning
 
 Another automated scanning feature within a GitHub repository is secret scanning. Similar to the previous security scanning features, secret scanning looks for known secrets or credentials committed within the repository. This scanning is done to prevent the use of fraudulent behavior and to secure the integrity of any sensitive data. By default, secret scanning occurs on public repositories and you can enable secret scanning on private repositories by repository administrators or organization owners.
 
 When secret scanning detects a set of credentials, GitHub notifies the service provider who issued the secret. The service provider validates the credential. Then, it decides whether they should revoke the secret, issue a new secret, or reach out to you directly. The action depends on the associated risks to you or the service provider.
 
-Learn more about [Secret scanning for public and private repositories](https://docs.github.com/code-security/secret-scanning/about-secret-scanning).
+Learn more about [Secret scanning for public and private repositories](https://docs.github.com/code-security/secret-scanning/introduction/about-secret-scanning).

learn-pr/github/maintain-secure-repository-github/includes/3-security-strategy-essentials.md

@@ -10,7 +10,7 @@ Here are some helpful tips before you begin the exercise:
 - Stuck on what to do? Revisit the content in the last unit or check out the README file in the exercise's repository.
 
 > [!NOTE]
-> A grading script exists under `.github/workflows/grading.yml`. You don't need to modify this workflow to complete this exercise. **Altering the contents in this workflow can break the exercise's ability to validate your actions, provide feedback, or grade the results.**
+> There's a grading script under `.github/workflows/grading.yml`. You don't need to modify this workflow to complete this exercise. **Altering the contents in this workflow can break the exercise's ability to validate your actions, provide feedback, or grade the results.**
 
 This exercise is a challenge based on content covered in this module, and there could be more than one way to successfully complete the exercise. If you get stuck, revisit previous content in this module or navigate to some of the other resources provided.
 

learn-pr/github/maintain-secure-repository-github/includes/5-summary.md

@@ -18,5 +18,5 @@ Here are some links to more information on the topics we discussed in this modul
 - [Dependabot official site](https://github.com/dependabot)
 - [Security apps on GitHub Marketplace](https://github.com/marketplace/category/security?azure-portal=true)
 - [Adding a security policy to your repository](https://docs.github.com/code-security/getting-started/adding-a-security-policy-to-your-repository)
-- [Ignoring files](https://docs.github.com/get-started/getting-started-with-git/ignoring-files)
+- [Ignoring files](https://docs.github.com/get-started/git-basics/ignoring-files)
 - [Removing sensitive data from a repository](https://docs.github.com/authentication/keeping-your-account-and-data-secure/removing-sensitive-data-from-a-repository)