adding new labs

joshjohanning · joshjohanning · commit 0137b63e8cd9 · 2024-10-27T18:10:57.000-07:00
diff --git a/README.md b/README.md
@@ -55,6 +55,30 @@ This lab will have you utilize Secret Scanning with Push Protection to prevent s
 
 ---
 
+### Lab 6 - Hands-on with Security Overview
+
+This lab will teach you how to effectively use the Security Overview to review and alerts and coverage in an organization.
+
+- Get started here - [Lab 5](./_labs/lab6.md)
+
+---
+
+### Extra Credit: Advanced CodeQL Setup
+
+This open-ended extra credit lab will have you switch to the advanced CodeQL setup.
+
+- Get started here - [Extra Credit Lab 1](./_labs/lab7-ec.md)
+
+---
+
+### Extra Credit: Custom Secret Scanning Patterns
+
+This open-ended extra credit lab will have you create a custom secret scanning pattern.
+
+- Get started here - [Extra Credit Lab 2](./_labs/lab8-ec.md)
+
+---
+
 ## :book: Resources
 - [GitHub Docs - About GitHub Advanced Security](https://docs.github.com/en/get-started/learning-about-github/about-github-advanced-security)
 - [GitHub Security Learning Pathway](https://resources.github.com/learn/pathways/security/)
diff --git a/_labs/README.md b/_labs/README.md
@@ -5,3 +5,6 @@
 3. [Lab 3 - Hands-on with Code Scanning (blocking vulnerable code from entering codebase and Copilot Autofix)](./lab3.md)
 4. [Lab 4 - Hands-on with Dependency Review (blocking vulnerable dependencies from entering codebase)](./lab4.md)
 5. [Lab 5 - Hands-on with Secret Scanning (secret scanning with push protections)](./lab5.md)
+6. [Lab 6 - Hands-on with Security Overview]((./lab6.md))
+7. [Extra credit: Advanced CodeQL Setup](./lab7-ec.md)
+8. [Extra credit: Custom Secret Scanning Patterns](./lab8-ec.md)
diff --git a/_labs/lab5.md b/_labs/lab5.md
@@ -42,3 +42,5 @@ This lab covers parts of the following exam domains:
 Celebrate 🎉! We just prevented a secret from entering our codebase!
 
 And there you have it. You should now have a good grasp on what GitHub Advanced Security is, how it works, and how to implement it. So get out there and keep your company secured!
+
+➡️ Head back to the [labs](README.md) page to continue on to the next lab.
diff --git a/_labs/lab6.md b/_labs/lab6.md
@@ -0,0 +1,48 @@
+# Lab 5 - Hands-on with Security Overview
+
+We've covered how to review alerts in a single repository, but how is your org or team doing? Next, we'll check out the Security Overview at the organizational level to see how we can get a high-level view of the security posture of our organization.
+
+This lab covers parts of the following exam domains:
+
+TODO: dunno what domains
+
+- Domain 6: Describe GitHub Advanced Security best practices
+
+## Exercise 1: Navigating to Security Overview
+
+The Security Overview can be used by anyone inside of an organization; it shows repositories that you have access to. If you are an org owner or a security manager, you would see all alerts. If you are a regular org member, you would only see alerts for repositories by default that you have write access to.
+
+> [!NOTE]
+> Security alerts for a repository are visible to people with write, maintain, or admin access to the repository and, when the repository is owned by an organization, organization owners. You can give additional teams and people access to the alerts.
+
+1. Navigate to the organization. You can do so by **clicking on the org name** (`ghuwsec1953`) in the repository breadcrumbs in the upper left hand corner.
+    - You can also navigate to your orgs by clicking on your profile picture and "**Your organizations**"
+2. Click on the **Security** tab.
+3. Review (and click on!) the different views on the left-hand side:
+    - Overview: visualize trends in Detection, Remediation, and Prevention of security alerts ([docs](https://docs.github.com/en/enterprise-cloud@latest/code-security/security-overview/viewing-security-insights#about-security-insights))
+    - Risk: explore the risk from security alerts of all types or focus on a single alert type and identify your risk from specific vulnerable dependencies, code weaknesses, or leaked secrets ([docs](https://docs.github.com/en/enterprise-cloud@latest/code-security/security-overview/assessing-code-security-risk))
+    - Coverage: assess the adoption of code security features across repositories in the organization ([docs](https://docs.github.com/en/enterprise-cloud@latest/code-security/security-overview/assessing-adoption-code-security))
+    - Enablement trends: see how quickly different teams are adopting security features
+    - CodeQL pull request alerts: assess the impact of running CodeQL on pull requests and how development teams are resolving code scanning alerts ([docs](https://docs.github.com/en/enterprise-cloud@latest/code-security/security-overview/viewing-metrics-for-pull-request-alerts))
+    - Secret scanning: find out which types of secret are blocked by push protection and which teams are bypassing push protection ([docs](https://docs.github.com/en/enterprise-cloud@latest/code-security/security-overview/viewing-metrics-for-secret-scanning-push-protection))
+
+> [!TIP]
+> You can export a CSV of nearly from most of these views using the **Export CSV** button in the upper right.
+
+4. Under the **Overview** view, navigate the sub-views, specifically **Detection** and **Remediation**.
+    - Note the trends - this is useful information to evaluate the security posture of your organization. Are we getting better over time?
+    - Being secure requires "constant vigilance"
+5. Navigate to the **Risk** view.
+6. On the right-hand side, click the **Teams ▾** button/dropdown.
+7. Click on the **all users** team - this team is only added to a different sample repo, so note how the total alerts changes.
+    - This can be really useful for a manager, architect, or developer to see which repositories assigned to the teams have security features enabled and how many alerts they are generating.
+8. At the bottom of the options on the left, click the **+** to the right of security campaigns. Pick whichever option you want!
+    - Security campaigns are a new feature designed to help administrators and security managers create targeted campaigns and track remediation progress effectively.
+
+## Summary
+
+That's the security overview! Use these views to monitor and manage your security posture effectively. By leveraging the detailed insights provided in each section, you can identify potential threats, take proactive measures, and ensure your systems remain secure.
+
+Congrats, you have finished all of the main labs! 🎉 If you have time or are up for a challenge, try out the extra credit labs!
+
+➡️ Head back to the [labs](README.md) page to try your hand at the extra credit labs.
diff --git a/_labs/lab7-ec.md b/_labs/lab7-ec.md
@@ -0,0 +1,35 @@
+# Extra Credit - Lab 7 - Advanced CodeQL Setup
+
+We set up Code Scanning with CodeQL using the default method. Now, let's try using the **[advanced setup](https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/configuring-advanced-setup-for-code-scanning)**!
+
+This extra credit lab covers parts of the following exam domains:
+
+- Domain 4: Configure and use code scanning
+- Domain 5: Use code scanning with CodeQL
+- Domain 6: Describe GitHub Advanced Security best practices
+
+## Exercise
+
+Why might you want to use the advanced setup? Here are some reasons:
+
+- More control over triggers and schedule
+- When pulling in packages from a private feed, you may have to provide instructions on authorizing to the NuGet, NPM, Maven, etc. feed.
+- For compiled languages, providing more instructions on how to build the code
+- Ability to customize your runners TODO: is this true? i think you can use code-scanning label with default workflow but i cannot remember
+- Ability to customize the CodeQL configuration (such as query suites used)
+- Manage code scanning settings "as code"
+- Utilize 3rd party code scanning tooling
+
+### Assignment
+
+Your assignment here is to switch to the **[advanced setup](https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/configuring-advanced-setup-for-code-scanning)**. You can start under the **Settings** --> **Code Security and Analysis** page.
+
+Your goal is to have a CodeQL workflow committed that successfully scans your code. Pay attention to some of the configuration options for the CodeQL scanning action. Refer to the documentation for more details.
+
+TODO: add link
+
+## Summary
+
+TODO: add content
+
+➡️ Head back to the [labs](README.md) page.
diff --git a/_labs/lab8-ec.md b/_labs/lab8-ec.md
@@ -0,0 +1,24 @@
+# Extra Credit - Lab 8 - Custom Secret Scanning Patterns
+
+We are just using the out of the box secret scanning settings. Perhaps you are interested in finding other patterns, such as credit card patterns, committed in the code.
+
+TODO: we should commit a fake credit card number in the code so they can find it
+
+This lab covers parts of the following exam domains:
+
+- Domain 2: Configure and use secret scanning
+- Domain 6: Describe GitHub Advanced Security best practices
+
+## Exercise
+
+Your assignment here is to implement a secret scanning custom pattern. You can start under the **Settings** --> **Code Security and Analysis** page.
+
+If you are looking for an example of what to search for, we suggest creating a pattern for finding a credit card! Mickey may or may not have accidentally committed his credit card to the repository and we need to alert on this.
+
+Create a pattern, run a dry-run, and hopefully you find the pattern! If so, save the custom secret scanning pattern to implement.
+
+## Summary
+
+TODO: add content
+
+➡️ Head back to the [labs](README.md) page.
