Merge pull request #4 from Ignite-GHAS-Workshop/fix-images

Fix image markdown for labs

Author: felickz

_labs/lab1.md

@@ -38,7 +38,7 @@ Although Dependabot isn't part of the GitHub Advanced Security product suite, it
 
 ![image](./images/lab-1-1-1.png) 
 
-<img src="images/lab-1-1-1.png"/>
+![image](images/lab-1-1-1.png)
 </details>
 
 ### Exercise 2: Enable Code Scanning
@@ -50,19 +50,19 @@ Although Dependabot isn't part of the GitHub Advanced Security product suite, it
     - By default, it will scan the JavaScript code, use the default CodeQL queries (for highest precision), and scan the default branch on push, pull request, and on a weekly schedule.
 
 <details>
-  <img src="images/lab-1-2-1.png"/>
+  ![image](images/lab-1-2-1.png)
 </details>
 
 4. Click the **Enable CodeQL** button to save the settings and enable Code Scanning.
 
 <details>
-  <img src="images/lab-1-2-2.png"/>
+  ![image](images/lab-1-2-2.png)
 </details>
 
 5. Ensure that **Copilot Autofix** is enabled (in the **Code Scanning --> Tools** section).
 
 <details>
-  <img src="images/lab-1-2-3.png"/>
+  ![image](images/lab-1-2-3.png)
 </details>
 
 > [!NOTE]  
@@ -82,7 +82,7 @@ Although Dependabot isn't part of the GitHub Advanced Security product suite, it
     - In Private and internal repositories in organizations using GitHub Enterprise Cloud with GitHub Advanced Security enabled, you can change this to only allow select users/teams (or no one) to bypass secret scanning push protection.
 
 <details>
-  <img src="images/lab-1-3-1.png"/>
+  ![image](images/lab-1-3-1.png)
 </details>
 
 ## Summary

_labs/lab2.md

@@ -8,13 +8,13 @@ Now that we have all of the security feature enabled, let's review the security
 2. Click **Dependabot** under the **Vulnerability alerts** heading.
 
 <details>
-  <img src="images/lab-2-1-1.png"/>
+  ![image](images/lab-2-1-1.png)
 </details>
 
 3. You should see a number of Dependabot alerts with various severities. Click on one of the alerts to see more information about it.
 
 <details>
-  <img src="images/lab-2-1-2.png"/>
+  ![image](images/lab-2-1-2.png)
 </details>
 
 4. When reviewing a Dependabot alert, you can see the following information (see if you can locate this information in the alert you opened):
@@ -30,7 +30,7 @@ Now that we have all of the security feature enabled, let's review the security
    - The alert timeline (for example, it should show that Dependabot just recently opened the alert. Once you close an alert, it will show who and when closed it here too).
 
 <details>
-  <img src="images/lab-2-1-3.png"/>
+  ![image](images/lab-2-1-3.png)
 </details>
 
 5. You can manually close an alert by clicking on the **Dismiss alert** button in the upper right hand corner. It's not recommended to close alerts manually, but there may be times where this is helpful (for example, the code that contains the alert is not used).
@@ -53,14 +53,14 @@ Now that we have all of the security feature enabled, let's review the security
     - Reviewing the **Critical** and **High** security alerts is another great place to start when prioritizing.
 
 <details>
-  <img src="images/lab-2-1-4.png"/>
+  ![image](images/lab-2-1-4.png)
 </details>
 
 9. If you put your cursor in the search box (should have `is:open` by default), there are additional filter options. Some of the common filter options are **scope** (runtime or development) and **has** (for example, `has:patch`).
 10. Update the search query to `is:open has:patch`. This will filter out all of the alerts that don't have a patch available and only show alerts where there is a non-vulnerable version to upgrade to.
 
 <details>
-  <img src="images/lab-2-1-5.png"/>
+  ![image](images/lab-2-1-5.png)
 </details>
 
 
@@ -69,13 +69,13 @@ Now that we have all of the security feature enabled, let's review the security
 12.  Add a rule to snooze any alerts that do not have a fix available.  Choose the "gear" icon and select the `New rule` button.  Name the rule `Snooze when no patch available`, add a target metadata for all npm packages: `ecosystem:npm` and ensure the `Dismiss Alerts` - `Until patch is available` is selected.  Next, select `Create rule`.
 
 <details>
-  <img src="images/lab-2-1-6.png"/>
+  ![image](images/lab-2-1-6.png)
 </details>
 
 13. Navigating back to the **Security** tab /  **Dependabot** under the **Vulnerability alerts** heading. You will see `1 Closed` heading.  Select this to find your alert `Command Injection in marsdb` without any fix has now been `Dismissed` as `auto-dismissed`.  The audit log will note `Repository rule created and Snooze when no patch available was applied`
 
 <details>
-  <img src="images/lab-2-1-7.png"/>
+  ![image](images/lab-2-1-7.png)
 </details>
 
 ## Exercise 2: Reviewing Code Scanning alerts
@@ -84,15 +84,15 @@ Now that we have all of the security feature enabled, let's review the security
 2. We should have a number of alerts. If you don't see any alerts yet, skip ahead to the next exercise and come back to this one. More than likely, the code scanning workflow hasn't finished yet (it takes between 2-5 minutes to run).
 
 <details>
-  <img src="images/lab-2-2-1.png"/>
+  ![image](images/lab-2-2-1.png)
 </details>
 
 3. If there are code scanning alerts, spend a few moments reviewing them. We can **filter/sort** by severity, tool, language, and a few other options, just like with Dependabot alerts.
 4. A common search/filter to use is **Autofilter** to filter out the alerts with a **test** tag (code scanning violations found in test files). This can help you focus on the alerts that are more likely to be real vulnerabilities.
 5. To use the autofilter filter, paste this into the search box: `is:open branch:main autofilter:true` (or type/select it by hand).
 
 <details>
-  <img src="images/lab-2-2-2.png"/>
+  ![image](images/lab-2-2-2.png)
 </details>
 
 6. Scroll down and let's click on one of the SQL injection alerts. These can be found by searching for the title **Database query built from user-controlled sources**.
@@ -107,7 +107,7 @@ Now that we have all of the security feature enabled, let's review the security
    - The affected branch
 
 <details>
-  <img src="images/lab-2-2-3.png"/>
+  ![image](images/lab-2-2-3.png)
 </details>
 
 8. Click on the **Show paths** link to review the vulnerability from the source to the sink.
@@ -125,7 +125,7 @@ Now that we have all of the security feature enabled, let's review the security
     - The nice thing with code scanning alerts (just like Dependabot alerts) is that once you merge the code that resolves an alert, the alert will be automatically closed. This is because the alert is no longer present in the code.
 
 <details>
-  <img src="images/lab-2-2-4.png"/>
+  ![image](images/lab-2-2-4.png)
 </details>
 
 15. We will merge this in change in. But first, we have to wait for the CodeQL workflow to finish running to ensure we aren't introducing any *new* vulnerabilities into the codebase. The workflow run will take 2-5 minutes.
@@ -148,7 +148,7 @@ Now that we have all of the security feature enabled, let's review the security
 2. Under the **Security** tab in the repo, click on the **Secret scanning** view. This will show all of the secret scanning alerts. (This should be empty for you.)
 
 <details>
-  <img src="images/lab-2-3-1.png"/>
+  ![image](images/lab-2-3-1.png)
 </details>
 
 3. Viewing a secret scanning alert shows details about the leak
@@ -158,14 +158,14 @@ Now that we have all of the security feature enabled, let's review the security
     - If you re-write history, the secret will still be valid and could be used by an attacker. Also, re-writing history modifies commit hashes and can make traceability more difficult.
 
 <details>
-  <img src="images/lab-2-3-4.png"/>
+  ![image](images/lab-2-3-4.png)
 </details>
 
 4. If you view an alert and choose **Verify secret** and this time, it says **secret inactive**. This is a good candidate to **Close as** --> **Revoked**.
     - Unlike Dependabot alerts and Code Scanning alerts, secret scanning alerts are not automatically closed when the secret is removed from the code - whether by a new commit or by re-writing history. This is because the secret was exposed and you don't know who may have seen it. So, you have to manually close the alert once you revoke the token.
 
 <details>
-  <img src="images/lab-2-3-2.png"/>
+  ![image](images/lab-2-3-2.png)
 </details>
 
 

_labs/lab3.md

@@ -39,15 +39,15 @@ models.sequelize.query(`SELECT * FROM Users WHERE email = '${req.body.email || '
 13. After the pull request is created, the code scanning job will have been initiated. You can see the status of the job in the pull request checks. It will take a few minutes to run.
 
 <details>
-  <img src="images/lab-3-1-3.png"/>
+  ![image](images/lab-3-1-3.png)
 </details>
 
 10. CodeQL should find the vulnerability, so the check will fail. Also, we should see Copilot create us an autofix on the PR that we can review.
 11. It might take Copilot a few moments to create the autofix.
 12. Review the autofix - we can prevent a vulnerability from entering the repository now with a click of a button! 🎉 ⚠️⚠️ **But don't commit the suggestion yet.** ⚠️⚠️
 
 <details>
-  <img src="images/lab-3-1-4.png"/>
+  ![image](images/lab-3-1-4.png)
 </details>
 
 ## Exercise 2: Creating a code scanning ruleset
@@ -61,7 +61,7 @@ Without a ruleset (GitHub's new version of branch protections), even though Code
 2. On the left hand list of options, click on **Rules --> Rulesets**.
 
 <details>
-  <img src="images/lab-3-2-1.png"/>
+  ![image](images/lab-3-2-1.png)
 </details>
 
 3. Click on **New ruleset ▾ --> New branch ruleset**
@@ -74,14 +74,14 @@ Without a ruleset (GitHub's new version of branch protections), even though Code
 5. Scroll down and click the **Create** button.
 
 <details>
-  <img src="images/lab-3-2-2.png"/>
+  ![image](images/lab-3-2-2.png)
 </details>
 
 7. With the ruleset created, both the JavaScript scan has to finish and no vulnerabilities found with CodeQL in order to merge the code.
 8. Navigate back to our open PR. The **Merge pull request** button should now be grayed out, preventing us from merging vulnerable code.
 
 <details>
-  <img src="images/lab-3-2-3.png"/>
+  ![image](images/lab-3-2-3.png)
 </details>
 
 9. Review the **Copilot Autofix suggestion**.

_labs/lab4.md

@@ -12,29 +12,29 @@ First, let's add the dependency review action workflow.
 4. Under the **Dependency Review** workflow, click **Configure**.
 
 <details>
-  <img src="images/lab-4-1-1.png"/>
+  ![image](images/lab-4-1-1.png)
 </details>
 
 5. Review the action and its defaults on line 32-39. This action can also block specific open source license types.
 6. In the upper right, click on **Commit changes...**
 7. Since we have a ruleset, we have to create a branch and merge this to main via pull request. Create a branch and commit (**Propose changes**) the changes.
 
 <details>
-  <img src="images/lab-4-1-2.png"/>
+  ![image](images/lab-4-1-2.png)
 </details>
 
 8. On the next screen, use the Copilot icon in the formatting bar to generate a pull request description.
 
 <details>
-  <img src="images/lab-4-1-3.png"/>
+  ![image](images/lab-4-1-3.png)
 </details>
 
 9. Click **Create pull request**.
 10. Wait for the code scanning job to finish. It will take a few minutes to run.
     - You will notice that the Dependency Review workflow ran against this PR and didn't report any issues.
 
 <details>
-  <img src="images/lab-4-1-4.png"/>
+  ![image](images/lab-4-1-4.png)
 </details>
 
 11. Merge the PR once the code scanning completes.
@@ -46,7 +46,7 @@ First, let's add the dependency review action workflow.
 17. Search for `dependency-review` and add it (it should show up under **suggestions**).
 
 <details>
-  <img src="images/lab-4-1-5.png"/>
+  ![image](images/lab-4-1-5.png)
 </details>
 
 18. Save the changes to the ruleset.
@@ -66,7 +66,7 @@ Now, let's attempt to add a vulnerable dependency to the codebase and test out t
 ```
 
 <details>
-  <img src="images/lab-4-2-1.png"/>
+  ![image](images/lab-4-2-1.png)
 </details>
 
 6. Click the **Commit changes** button.
@@ -77,7 +77,7 @@ Now, let's attempt to add a vulnerable dependency to the codebase and test out t
 11. It should make a comment to the pull request with a note that it found a vulnerable package dependency. In fact, adding this one package would introduce 3 new vulnerabilities to our codebase.
 
 <details>
-  <img src="images/lab-4-2-2.png"/>
+  ![image](images/lab-4-2-2.png)
 </details>
 
 12. Also, the status check will be marked as failed, preventing the pull request from being merged.

_labs/lab5.md

@@ -20,7 +20,7 @@ Let's use Secret Scanning with push protections to prevent secrets from entering
 13. Push protection should detect the GitHub personal access token and block the push - great!
 
 <details>
-  In the UI:</br><img src="images/lab-5-1-1.png"/></br></br>
+  In the UI:</br>![image](images/lab-5-1-1.png)</br></br>
 </details>
 
 14. Depending on how the settings are configured, we could bypass the push protection and push the secret to the repository. But, we don't want to do that! 🙅‍♂️ Repository admins and organization owners would receive an email notification if we did.