github-samples
diff --git a/‎README.md‎
Lines changed: 2 additions & 10 deletions b/‎README.md‎
Lines changed: 2 additions & 10 deletions
diff --git a/‎_labs/README.md‎
Lines changed: 1 addition & 3 deletions b/‎_labs/README.md‎
Lines changed: 1 addition & 3 deletions
diff --git a/‎_labs/images/lab-2-1-6.png‎
64.8 KB b/‎_labs/images/lab-2-1-6.png‎
64.8 KB
diff --git a/‎_labs/images/lab-2-1-7.png‎
89.2 KB b/‎_labs/images/lab-2-1-7.png‎
89.2 KB
diff --git a/‎_labs/images/lab-2-3-4.png‎
90.2 KB b/‎_labs/images/lab-2-3-4.png‎
90.2 KB
diff --git a/‎_labs/lab1.md‎
Lines changed: 16 additions & 17 deletions b/‎_labs/lab1.md‎
Lines changed: 16 additions & 17 deletions
diff --git a/‎_labs/lab2.md‎
Lines changed: 28 additions & 23 deletions b/‎_labs/lab2.md‎
Lines changed: 28 additions & 23 deletions
diff --git a/‎_labs/lab3.md‎
Lines changed: 15 additions & 41 deletions b/‎_labs/lab3.md‎
Lines changed: 15 additions & 41 deletions
@@ -59,27 +59,19 @@ This lab will have you utilize Secret Scanning with Push Protection to prevent s
 
 ---
 
-### Lab 6 - Hands-on with Security Overview
-
-This lab will teach you how to effectively use the Security Overview to review and alerts and coverage in an organization.
-
-- Get started here - [Lab 6](./_labs/lab6.md)
-
----
-
 ### Extra Credit: Advanced CodeQL Setup
 
 This open-ended extra credit lab will have you switch to the advanced CodeQL setup.
 
-- Get started here - [Extra Credit Lab 1](./_labs/lab7-ec.md)
+- Get started here - [Extra Credit Lab 1](./_labs/lab6-ec.md)
 
 ---
 
 ### Extra Credit: Custom Patterns for Secret Scanning
 
 This open-ended extra credit lab will have you create a custom secret scanning pattern.
 
-- Get started here - [Extra Credit Lab 2](./_labs/lab8-ec.md)
+- Get started here - [Extra Credit Lab 2](./_labs/lab7-ec.md)
 
 ---
 
 
@@ -5,6 +5,4 @@
 3. [Lab 3 - Hands-on with Code Scanning (blocking vulnerable code from entering codebase and Copilot Autofix)](./lab3.md)
 4. [Lab 4 - Hands-on with Dependency Review (blocking vulnerable dependencies from entering codebase)](./lab4.md)
 5. [Lab 5 - Hands-on with Secret Scanning (secret scanning with push protections)](./lab5.md)
-6. [Lab 6 - Hands-on with Security Overview](./lab6.md)
-7. [Extra credit: Advanced CodeQL Setup](./lab7-ec.md)
-8. [Extra credit: Custom Patterns for Secret Scanning](./lab8-ec.md)
+6. [Extra credit: Advanced CodeQL Setup](./lab6-ec.md)
@@ -2,15 +2,18 @@
 
 Welcome! In this lab, you will be introduced to GitHub Advanced Security (GHAS) and its features. You will use the Juice Shop sample repository to enable the GHAS features, manage alerts, and learn how GitHub Advanced Security can keep vulnerabilities out of your code in the first place.
 
-This lab covers parts of the following exam domains:
-
-- Domain 2: Configure and use secret scanning
-- Domain 3: Configure and use dependency management
-- Domain 4: Configure and use code scanning
-
 > [!TIP]
 > We recommend opening up two browser windows, one with the lab and one with the working copy of your repo!
 
+## Forking the repository
+
+In this exercise, you will fork a repository with code from which you can work to test our the GHAS capabilities.
+
+1. Navigate to [https://github.com/Ignite-GHAS-Workshop/ghas-workshop-repo](https://github.com/Ignite-GHAS-Workshop/ghas-workshop-repo) in your browser.
+2. Click the **Fork** button in the upper right corner of the page.
+3. Fork the repository to your personal account.
+4. Refresh the page a few seconds after you fork the repository to see the new repository in your account.
+
 ## Enabling the security settings
 
 In the following exercises, you will be guided through the process of enabling the remaining GHAS features. Then you will be shown how to use the features to secure your code.
@@ -34,25 +37,22 @@ Although Dependabot isn't part of the GitHub Advanced Security product suite, it
 ### Exercise 2: Enable Code Scanning
 
 1. Next, let's enable **Code Scanning with CodeQL**. These settings are also under the **Code security** settings page.
-2. Click the **Enable** button next to GitHub Advanced Security.
-3. A prompt will confirm that you want to **Enable GitHub Advanced Security for this repository** - click the button.
-    - The prompt tells you how many GitHub Advanced Security licenses you would consume by enabling this feature - which is useful if you are an organization owner and want to ensure you have enough licenses for your organization.
-4. Underneath the GitHub Advanced Security | Code Scanning heading, click the **Set up** button in the **CodeQL analysis** row.
-5. There are two options: **Default** and **Advanced**. Select the **Default** option and review the settings.
+2. Underneath the Code Scanning heading, click the **Set up** button in the **CodeQL analysis** row.
+3. There are two options: **Default** and **Advanced**. Select the **Default** option and review the settings.
     - For this lab, we will use the **Default** setup which creates a managed Actions workflow (i.e. you will not see a file committed to the repo). You can use the Advanced option to manage your code scanning workflow as a GitHub Actions workflow YAML file committed to the repo. The **Default** option is a great option to get started quickly to enable code scanning in a repository without needing to commit any additional code.
     - By default, it will scan the JavaScript code, use the default CodeQL queries (for highest precision), and scan the default branch on push, pull request, and on a weekly schedule.
 
 <details>
   <img src="images/lab-1-2-1.png"/>
 </details>
 
-6. Click the **Enable CodeQL** button to save the settings and enable Code Scanning.
+4. Click the **Enable CodeQL** button to save the settings and enable Code Scanning.
 
 <details>
   <img src="images/lab-1-2-2.png"/>
 </details>
 
-6. Ensure that **Copilot Autofix** is enabled (in the **Code Scanning --> Tools** section).
+5. Ensure that **Copilot Autofix** is enabled (in the **Code Scanning --> Tools** section).
 
 <details>
   <img src="images/lab-1-2-3.png"/>
@@ -61,7 +61,7 @@ Although Dependabot isn't part of the GitHub Advanced Security product suite, it
 > [!NOTE]  
 > You don't need a Copilot license in order to use the Copilot features with GitHub Advanced Security. However, Copilot can certainly be helpful in resolving issues in your IDE by using Copilot chat to explain the vulnerability and how to fix it.
 
-7. Optionally, configure the **Check runs failure threshold** - by default, a pull request will be blocked if there are any high or higher security alerts.
+6. Optionally, configure the **Check runs failure threshold** - by default, a pull request will be blocked if there are any high or higher security alerts.
 
 ### Exercise 3: Enable Secret Scanning
 
@@ -70,10 +70,9 @@ Although Dependabot isn't part of the GitHub Advanced Security product suite, it
 3. Click the **Enable** button next to the **Validity checks** setting. This feature checks if the secret is still valid for [specific partners](https://docs.github.com/en/enterprise-cloud@latest/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#high-confidence-patterns), such as Azure, AWS, and, of course, GitHub. As an example, you can use this feature to check if a GitHub personal access token found in the repo is still valid and needs to be revoked.
 4. Click the **Enable** button next to the **Non-provider patterns** setting. This scans for patterns that don't correspond to partners but still have a common syntax, such as a MySQL or MongoDB connection string.
 5. Click the **Enable** button next to the "Push protection" setting. This feature will block pushes that contain high-precision secrets. You can use this [chart](https://docs.github.com/en/enterprise-cloud@latest/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#supported-secrets) to determine which types of secrets would be blocked with secret scanning push protection enabled.
-6. Optionally, configure **Who can bypass push protection for secret scanning**. 
+6. Optionally, configure **Who can bypass push protection for secret scanning**.
     - By default, as to not interrupt developers' workflows, anyone with write access to the repository can manually bypass a blocked push that contains secrets (administrators will be notified of this, and it is also captured in the audit logs).
-    - You can change this to only allow select users/teams (or no one) to bypass secret scanning push protection.
-7. Note that you can define your own **Custom patterns** from this page to scan for secrets that don't correspond to a known provider pattern.
+    - In Private and internal repositories in organizations using GitHub Enterprise Cloud with GitHub Advanced Security enabled, you can change this to only allow select users/teams (or no one) to bypass secret scanning push protection.
 
 <details>
   <img src="images/lab-1-3-1.png"/>
 
@@ -2,12 +2,6 @@
 
 Now that we have all of the security feature enabled, let's review the security alerts that have been created and how to manage them.
 
-This lab covers parts of the following exam domains:
-
-- Domain 2: Configure and use secret scanning
-- Domain 3: Configure and use dependency management
-- Domain 4: Configure and use code scanning
-
 ## Exercise 1: Reviewing Dependabot alerts
 
 1. Click the **Security** tab in the repo. This is where you can see and manage all of the security alerts for the repo.
@@ -69,6 +63,21 @@ This lab covers parts of the following exam domains:
   <img src="images/lab-2-1-5.png"/>
 </details>
 
+
+11. Auto-triage your alerts allows you control over how Dependabot opens pull requests, ignores false positives and snoozes alerts. Navigate to  the **Settings** tab (the icon of the gear) in the repo, back to **Code Scanning**, then find **Dependabot rules** underneath **Dependabot**.
+
+12.  Add a rule to snooze any alerts that do not have a fix available.  Choose the "gear" icon and select the `New rule` button.  Name the rule `Snooze when no patch available`, add a target metadata for all npm packages: `ecosystem:npm` and ensure the `Dismiss Alerts` - `Until patch is available` is selected.  Next, select `Create rule`.
+
+<details>
+  <img src="images/lab-2-1-6.png"/>
+</details>
+
+13. Navigating back to the **Security** tab /  **Dependabot** under the **Vulnerability alerts** heading. You will see `1 Closed` heading.  Select this to find your alert `Command Injection in marsdb` without any fix has now been `Dismissed` as `auto-dismissed`.  The audit log will note `Repository rule created and Snooze when no patch available was applied`
+
+<details>
+  <img src="images/lab-2-1-7.png"/>
+</details>
+
 ## Exercise 2: Reviewing Code Scanning alerts
 
 1. Under the **Security** tab in the repo, click on **Code scanning** to review the code scanning alerts.
@@ -112,8 +121,9 @@ This lab covers parts of the following exam domains:
 11. It will take a little time (30-60s) to generate a suggestion. Wait for it to finish.
 12. If you're happy with the suggestion, click the **Commit to a new branch** button.
 13. Accept the defaults and click **Commit change**.
-14. This will create a draft pull request with the fix for the vulnerability. In a real world example, assuming your build and tests pass, you would move the PR out of a draft state, having someone on your team review it, and then merge the change.
+14. This will create a `draft` pull request with the fix for the vulnerability. In a real world example, assuming your build and tests pass, you would move the PR out of a draft state, having someone on your team review it, and then merge the change.
     - The nice thing with code scanning alerts (just like Dependabot alerts) is that once you merge the code that resolves an alert, the alert will be automatically closed. This is because the alert is no longer present in the code.
+
 <details>
   <img src="images/lab-2-2-4.png"/>
 </details>
@@ -133,36 +143,31 @@ This lab covers parts of the following exam domains:
 
 ## Exercise 3: Reviewing Secret Scanning alerts
 
-1. Under the **Security** tab in the repo, click on the **Secret scanning** --> **Default** option. This will show all of the default secret scanning alerts.
-2. You should see a number of alerts. For example, there should be a **GitHub Personal Access token alert**. Click it.
+1. Since this is a brand new fork of a public repo, you will not have any secrets detected.  The next few steps we will review what you would see if we had any secrets detected (optional steps in Lab 5.)
+
+2. Under the **Security** tab in the repo, click on the **Secret scanning** view. This will show all of the secret scanning alerts. (This should be empty for you.)
+
+<details>
+  <img src="images/lab-2-3-1.png"/>
+</details>
+
+3. Viewing a secret scanning alert shows details about the leak
     - This page shows where in the code the secret was discovered (if there were multiple locations, it would list them all).
     - If a secret is found in the code, we would want to revoke manually in the designated service.
     - It's recommended to revoke the secret instead of rewriting history because the secret was exposed and you don't know who may have seen it.
     - If you re-write history, the secret will still be valid and could be used by an attacker. Also, re-writing history modifies commit hashes and can make traceability more difficult.
 
 <details>
-  <img src="images/lab-2-3-1.png"/>
+  <img src="images/lab-2-3-4.png"/>
 </details>
 
-3. You can click on **Verify secret**. It will say it's not currently valid on `github.com`, but that doesn't mean it doesn't come from another GitHub instance (such as GitHub Enterprise Server).
-4. Go back to list of secret scanning alerts. Click on the **Google API key** alert.
-5. Click on **Verify secret** again. This time, it should say **secret inactive**. This is a good candidate to **Close as** --> **Revoked** (click the **Close as** button in the upper right to do so). Do this.
+4. If you view an alert and choose **Verify secret** and this time, it says **secret inactive**. This is a good candidate to **Close as** --> **Revoked**.
     - Unlike Dependabot alerts and Code Scanning alerts, secret scanning alerts are not automatically closed when the secret is removed from the code - whether by a new commit or by re-writing history. This is because the secret was exposed and you don't know who may have seen it. So, you have to manually close the alert once you revoke the token.
-6. Navigate back to the **Default** secret alerts list.
-7. We can click **1 Closed** to see the alert we just closed.
 
 <details>
   <img src="images/lab-2-3-2.png"/>
 </details>
 
-11. Click on the **Experimental** secret scanning alerts option. This will show all of the alerts that are not high confidence, such as generic passwords, keys, and things such as HTTP bearer authentication header tokens found in the code.
-12. Let's click into one of the **Password** alerts.
-
-<details>
-  <img src="images/lab-2-3-3.png"/>
-</details>
-
-13. Just like high confidence secret scanning alerts, it shows where the secret was found in the code. The secret was found with AI, so it may or may not be a real secret or password. If it's not, we can close it manually and mark it as a false positive.
 
 ## Summary
 
 
@@ -1,27 +1,12 @@
 # Lab 3 - Hands-on with Code Scanning
 
-With Code Scanning enabled, we want to block vulnerable code from entering the codebase. We can define a repository ruleset to enforce this. Also, let's see how Copilot Autofix can help fix security vulnerabilities for us.
-
-This lab covers parts of the following exam domains:
-
-- Domain 4: Configure and use code scanning
-- Domain 5: Use code scanning with CodeQL
-- Domain 6: Describe GitHub Advanced Security best practices
+With Code Scanning enabled, we want to block vulnerable code from entering the codebase. We can define a repository ruleset to enforce this.
 
 ## Exercise 1: Introduce a code scanning security vulnerability
 
-1. Let's open up the repository in Codespaces! Navigate to the **Code** tab in the repo and click on the green **Code ▾** button. Then, click on **Codespaces** tab and **Create codespace on main**.
-
-<details>
-  <img src="images/lab-3-1-1.png"/>
-</details>
-
-2. Give it a few moments to load the repository. Codespaces allows you full access to a cloud compute environment to develop and debug your code. It's a great way to get started with a project quickly and to contribute to open source projects.
-3. Now, Josh has given you a new piece of code to add to the `routes/login.ts` file.
-4. Before making the code change, let's create a new branch. Click **main** in the taskbar at the bottom of VSCode (the **main** that appears just to the right of your Codespaces name).
-5. Select **Create new branch**, enter **lab3/code-scanning-vulnerability**, and hit Enter. The branch will be created and VSCode will switch to the branch.
-6. Open the **routes/login.ts** file.
-7. Find lines 36-46 and delete them
+1. Navigate to the **routes/login.ts** file in your repository.
+2. Click the Pencil icon on the top right of the file view to edit the file.
+3. Find lines 36-46 and delete them
 
 ```diff
 - models.sequelize.query(
@@ -37,32 +22,21 @@ This lab covers parts of the following exam domains:
 -     )
 ```
 
-8. At line 36, add the following code:
+4. At line 36, add the following code:
 
 ```javascript
 models.sequelize.query(`SELECT * FROM Users WHERE email = '${req.body.email || ''}' AND password = '${security.hash(req.body.password || '')}' AND deletedAt IS NULL`, { model: UserModel, plain: true })
 ```
 
-9. You know what? Maybe we should double-check this code from Josh. Highlight line 36. Let's ask Copilot Chat to explain this line of code. With line 36 highlighted, **right click** on the line and select **Copilot --> Explain**.
-
-<details>
-  <img src="images/lab-3-1-2.png"/>
-</details>
-
-10. Copilot chat should open up and explain what this line is doing. And oh no, read it thoroughly - it tells us we have a vulnerability! 😱
-11. We can ask Copilot chat how we could fix it. Better yet, do this: right click on line 36 and select **Copilot --> Fix**. ❗️❗️ We don't want to save anything though, so just review the fix for now. Don't accept this change, click on the **Discard** button.❗️❗️
-12. Let's push our new branch with the vulnerability up to GitHub. Select the **Source Control** extension on the left side of Visual Studio Code
-13. Click the **+** button next to **login.ts** to stage the changes
-14. Add a commit message and click **Commit**.
-15. Click **Publish Branch** to push your new branch with the code changes to GitHub.
-16. Let's create a pull request for this branch to attempt to merge it into main.
-    - In another browser tab, navigate back to the repository.
-      - Alternatively navigate back to the [workshop organization](https://github.com/ghuwsec1953) and find your repo.
-    - Click the **Pull requests** tab --> **New pull request** button --> select the `lab3/code-scanning-vulnerability` to merge into `main`.
-    - Click **Create pull request**
-    - In the pull request description, click the Copilot icon on the formatting bar and have Copilot generate a pull request **summary** for you.
-    - Click **Create pull request**
-17. After the pull request is created, the code scanning job will have been initiated. You can see the status of the job in the pull request checks. It will take a few minutes to run.
+5. Let's push our new branch with the vulnerability up to GitHub.
+6. Click the green **Commit Changes** button on the top right of the file view.
+7. Keep the commit message the same, but feel free to add a description.
+8. Select the **Create a new branch for this commit and start a pull request** radio button.
+9. Keep the branch name at the default, which should be your GitHub handle followed by `-patch-1`.
+10. Click the **Propose changes** button.
+11. Click the **Create pull request** button at the bottom of the text field in the next view.
+12. The page will redirect to the pull request that was just created. Do not merge the pull request yet, as we want to see the code scanning results first.
+13. After the pull request is created, the code scanning job will have been initiated. You can see the status of the job in the pull request checks. It will take a few minutes to run.
 
 <details>
   <img src="images/lab-3-1-3.png"/>
@@ -110,7 +84,7 @@ Without a ruleset (GitHub's new version of branch protections), even though Code
   <img src="images/lab-3-2-3.png"/>
 </details>
 
-9. Review the **Copilot Autofix suggestion** - it offers a similar suggestion to what Copilot in our IDE did!
+9. Review the **Copilot Autofix suggestion**.
 10. Click on the **commit suggestion** button and **commit changes**.
 11. After another CodeQL scan, the PR should pass and the **Merge pull request** button should be enabled, allowing you to merge the change without the vulnerability.
     - ➡️ For the purposes of this lab, you don't have to actually merge the PR, so **you don't have to wait fo the CodeQL scan to finish before moving on**.