You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: _labs/lab1.md
+11-8Lines changed: 11 additions & 8 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -26,6 +26,8 @@ In the following exercises, you will be guided through the process of enabling t
26
26
27
27
Although Dependabot isn't part of the GitHub Advanced Security product suite, it is still an important tool to discuss from an overall security posture.
28
28
29
+
Dependabot and Dependency Graph should already be turned on for your repository. If not, follow the steps below.
30
+
29
31
1. We first want to turn on the security settings for the repository. Navigate to the **Settings** tab (the icon of the gear) in the repo.
30
32
2. Click on the **Code security** section.
31
33
3. Click the **Enable** button next to the **Dependency Graph** setting. To enable Dependabot, we first have to enable the Dependency Graph. This allows Dependabot to ingest your package manifest files.
@@ -35,12 +37,13 @@ Although Dependabot isn't part of the GitHub Advanced Security product suite, it
35
37
- Note: there is a [maximum number of pull requests that this feature will create (10)](https://docs.github.com/en/enterprise-cloud@latest/code-security/dependabot/working-with-dependabot/troubleshooting-dependabot-errors#dependabot-cannot-open-any-more-pull-requests).
36
38
37
39
<details>
38
-
39
-
40
+
40
41
41
42
42
43
</details>
43
44
45
+
Once you are done turning on Dependabot features, the next thing we will need to do is turn on GitHub Advanced Security.
46
+
44
47
### Exercise 2: Enable Code Scanning
45
48
46
49
1. Next, let's enable **Code Scanning with CodeQL**. These settings are also under the **Code security** settings page.
@@ -50,10 +53,10 @@ Although Dependabot isn't part of the GitHub Advanced Security product suite, it
50
53
4. Underneath the **GitHub Advanced Security | Code scanning** heading, click the **Set up** button in the **CodeQL analysis** row.
51
54
52
55
> [!NOTE]
53
-
> If you do not see the **Code scanning** heading on the **Code security** page after enabling **GitHub Advanced Security** - you have likely not created your repo in the proper Organization. Go back to the beginning of this lab and ensure you choose **Ignite24-Labs** value from the dropdown as the new repository **Owner** when you choose **Use this template**.
56
+
> If you do not see the **Code scanning** heading on the **Code security** page after enabling **GitHub Advanced Security** - you have likely not created your repo in the proper Organization. Go back to the beginning of this lab and ensure you choose **Ignite24-Labs** value from the dropdown as the new repository **Owner** when you choose **Use this template**.
54
57
55
58
5. There are two options: **Default** and **Advanced**. Select the **Default** option and review the settings.
56
-
- For this lab, we will use the **Default** setup which creates a managed Actions workflow (i.e. you will not see a file committed to the repo). You can use the Advanced option to manage your code scanning workflow as a GitHub Actions workflow YAML file committed to the repo. The **Default** option is a great option to get started quickly to enable code scanning in a repository without needing to commit any additional code.
59
+
- For this lab, we will use the **Default** setup, which creates a managed Actions workflow (i.e. you will not see a codeql.yaml file committed to the repo). You can use the Advanced option to manage your code scanning workflow as a GitHub Actions workflow YAML file committed to the repo. The **Default** option is a great option to get started quickly to enable code scanning in a repository without needing to commit any additional code.
57
60
- By default, it will scan the JavaScript code, use the default CodeQL queries (for highest precision), and scan the default branch on push, pull request, and on a weekly schedule.
58
61
59
62
<details>
@@ -73,21 +76,21 @@ Although Dependabot isn't part of the GitHub Advanced Security product suite, it
73
76
</details>
74
77
75
78
> [!NOTE]
76
-
> You don't need a Copilot license in order to use the Copilot features with GitHub Advanced Security. However, Copilot can certainly be helpful in resolving issues in your IDE by using Copilot chat to explain the vulnerability and how to fix it.
79
+
> You do not need a Copilot license in order to use the Copilot features with GitHub Advanced Security. However, Copilot can certainly be helpful in resolving issues in your IDE by using Copilot chat to explain the vulnerability and how to fix it.
77
80
78
81
8. Optionally, configure the **Check runs failure threshold** - by default, a pull request will be blocked if there are any high or higher security alerts.
79
82
80
83
### Exercise 3: Enable Secret Scanning
81
84
82
85
1. Click on the **Enable** button to enable Secret Scanning.
83
-
2. Check the box to **Scan for generic secrets**. This feature uses AI to find secrets/passwords that may be in your code that don't correspond to a known provider pattern.
86
+
2. Check the box to **Scan for generic secrets**. This feature uses AI to find secrets/passwords that may be in your code that do not correspond to a known provider pattern.
84
87
3. Click the **Enable** button next to the **Validity checks** setting. This feature checks if the secret is still valid for [specific partners](https://docs.github.com/en/enterprise-cloud@latest/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#high-confidence-patterns), such as Azure, AWS, and, of course, GitHub. As an example, you can use this feature to check if a GitHub personal access token found in the repo is still valid and needs to be revoked.
85
-
4. Click the **Enable** button next to the **Non-provider patterns** setting. This scans for patterns that don't correspond to partners but still have a common syntax, such as a MySQL or MongoDB connection string.
88
+
4. Click the **Enable** button next to the **Non-provider patterns** setting. This scans for patterns that do not correspond to partners but still have a common syntax, such as a MySQL or MongoDB connection string.
86
89
5. Click the **Enable** button next to the "Push protection" setting. This feature will block pushes that contain high-precision secrets. You can use this [chart](https://docs.github.com/en/enterprise-cloud@latest/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#supported-secrets) to determine which types of secrets would be blocked with secret scanning push protection enabled.
87
90
6. Optionally, configure **Who can bypass push protection for secret scanning**.
88
91
- By default, as to not interrupt developers' workflows, anyone with write access to the repository can manually bypass a blocked push that contains secrets (administrators will be notified of this, and it is also captured in the audit logs).
89
92
- In Private and internal repositories in organizations using GitHub Enterprise Cloud with GitHub Advanced Security enabled, you can change this to only allow select users/teams (or no one) to bypass secret scanning push protection.
90
-
7. Note that you can define your own **Custom patterns** from this page to scan for secrets that don't correspond to a known provider pattern.
93
+
7. Note that you can define your own **Custom patterns** from this page to scan for secrets that do not correspond to a known provider pattern.
0 commit comments