You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: _labs/lab1.md
+9-10Lines changed: 9 additions & 10 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -30,8 +30,8 @@ Dependabot and Dependency Graph should already be turned on for your repository.
30
30
31
31
1. We first want to turn on the security settings for the repository. Navigate to the **Settings** tab (the icon of the gear) in the repo.
32
32
2. Click on the **Code security** section.
33
-
3.Click the **Enable** button next to the **Dependency Graph** setting. To enable Dependabot, we first have to enable the Dependency Graph. This allows Dependabot to ingest your package manifest files.
34
-
4.Click the **Enable** button next to the **Dependabot alerts** setting. This feature will create alerts for vulnerable dependencies found in your repository.
33
+
3.Ensure the Dependency Graph is enabled. This will be indicated by a red **Disable** button. If there is a black **Enable** button, click it to enable the **Dependency Graph** setting. To enable Dependabot, we first have to enable the Dependency Graph. This allows Dependabot to ingest your package manifest files.
34
+
4.Ensure the Dependabot alerts are enabled. This will be indicated by a red **Disable** button. If there is a black **Enable** button, click it to enable the **Dependabot alerts** setting. This feature will create alerts for vulnerable dependencies found in your repository.
35
35
5. Click the **Enable** button next to the **Dependabot security updates** setting.
36
36
- This will automatically create pull requests to update your vulnerable dependencies (if there is a non-vulnerable version to upgrade to).
37
37
- Note: there is a [maximum number of pull requests that this feature will create (10)](https://docs.github.com/en/enterprise-cloud@latest/code-security/dependabot/working-with-dependabot/troubleshooting-dependabot-errors#dependabot-cannot-open-any-more-pull-requests).
@@ -44,32 +44,31 @@ Dependabot and Dependency Graph should already be turned on for your repository.
44
44
45
45
Once you are done turning on Dependabot features, the next thing we will need to do is turn on GitHub Advanced Security.
46
46
47
-
### Exercise 2: Enable Code Scanning
47
+
### Exercise 2: Enable Advanced Security and Code Scanning
48
48
49
49
1. Next, let's enable **Code Scanning with CodeQL**. These settings are also under the **Code security** settings page.
50
-
2. Click the **Enable** button next to GitHub Advanced Security.
51
-
3. A prompt will confirm that you want to **Enable GitHub Advanced Security for this repository** - click the button.
50
+
2. Ensure GitHub Advanced Security is enabled. This will be indicated by a red **Disable** button. If there is a black **Enable** button, click it to enable **GitHub Advanced Security**. A prompt will confirm that you want to **Enable GitHub Advanced Security for this repository** - click the button.
52
51
- The prompt tells you how many GitHub Advanced Security licenses you would consume by enabling this feature - which is useful if you are an organization owner and want to ensure you have enough licenses for your organization.
53
-
4. Underneath the **GitHub Advanced Security | Code scanning** heading, click the **Set up** button in the **CodeQL analysis** row.
52
+
3. Underneath the **GitHub Advanced Security | Code scanning** heading, click the **Set up** button in the **CodeQL analysis** row.
54
53
55
54
> [!NOTE]
56
55
> If you do not see the **Code scanning** heading on the **Code security** page after enabling **GitHub Advanced Security** - you have likely not created your repo in the proper Organization. Go back to the beginning of this lab and ensure you choose **Ignite24-Labs** value from the dropdown as the new repository **Owner** when you choose **Use this template**.
57
56
58
-
5. There are two options: **Default** and **Advanced**. Select the **Default** option and review the settings.
57
+
4. There are two options: **Default** and **Advanced**. Select the **Default** option and review the settings.
59
58
- For this lab, we will use the **Default** setup, which creates a managed Actions workflow (i.e. you will not see a codeql.yaml file committed to the repo). You can use the Advanced option to manage your code scanning workflow as a GitHub Actions workflow YAML file committed to the repo. The **Default** option is a great option to get started quickly to enable code scanning in a repository without needing to commit any additional code.
60
59
- By default, it will scan the JavaScript code, use the default CodeQL queries (for highest precision), and scan the default branch on push, pull request, and on a weekly schedule.
61
60
62
61
<details>
63
62
64
63
</details>
65
64
66
-
6. Click the **Enable CodeQL** button to save the settings and enable Code Scanning.
65
+
5. Click the **Enable CodeQL** button to save the settings and enable Code Scanning.
67
66
68
67
<details>
69
68
70
69
</details>
71
70
72
-
7. Ensure that **Copilot Autofix** is enabled (in the **Code Scanning --> Tools** section).
71
+
6. Ensure that **Copilot Autofix**slider is enabled as **On |** (in the **Code Scanning --> Tools** section).
73
72
74
73
<details>
75
74
@@ -82,7 +81,7 @@ Once you are done turning on Dependabot features, the next thing we will need to
82
81
83
82
### Exercise 3: Enable Secret Scanning
84
83
85
-
1.Click on the **Enable** buttonto enable Secret Scanning.
84
+
1.Ensure that Secret Scanning is enabled. This will be indicated by a red **Disable** button. If there is a black **Enable** button, click it to enable **Secret Scanning**.
86
85
2. Check the box to **Scan for generic secrets**. This feature uses AI to find secrets/passwords that may be in your code that do not correspond to a known provider pattern.
87
86
3. Click the **Enable** button next to the **Validity checks** setting. This feature checks if the secret is still valid for [specific partners](https://docs.github.com/en/enterprise-cloud@latest/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#high-confidence-patterns), such as Azure, AWS, and, of course, GitHub. As an example, you can use this feature to check if a GitHub personal access token found in the repo is still valid and needs to be revoked.
88
87
4. Click the **Enable** button next to the **Non-provider patterns** setting. This scans for patterns that do not correspond to partners but still have a common syntax, such as a MySQL or MongoDB connection string.
0 commit comments