You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: _labs/lab2.md
+16-11Lines changed: 16 additions & 11 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -143,31 +143,36 @@ Now that we have all of the security feature enabled, let's review the security
143
143
144
144
## Exercise 3: Reviewing Secret Scanning alerts
145
145
146
-
1. Since this is a brand new fork of a public repo, you will not have any secrets detected. The next few steps we will review what you would see if we had any secrets detected (optional steps in Lab 5.)
147
-
148
-
2. Under the **Security** tab in the repo, click on the **Secret scanning** view. This will show all of the secret scanning alerts. (This should be empty for you.)
149
-
150
-
<details>
151
-
152
-
</details>
153
-
154
-
3. Viewing a secret scanning alert shows details about the leak
146
+
1. Under the **Security** tab in the repo, click on the **Secret scanning** --> **Default** option. This will show all of the default secret scanning alerts.
147
+
2. You should see a number of alerts. For example, there should be a **GitHub Personal Access token alert**. Click it.
155
148
- This page shows where in the code the secret was discovered (if there were multiple locations, it would list them all).
156
149
- If a secret is found in the code, we would want to revoke manually in the designated service.
157
150
- It's recommended to revoke the secret instead of rewriting history because the secret was exposed and you don't know who may have seen it.
158
151
- If you re-write history, the secret will still be valid and could be used by an attacker. Also, re-writing history modifies commit hashes and can make traceability more difficult.
159
152
160
153
<details>
161
-
154
+
162
155
</details>
163
156
164
-
4. If you view an alert and choose **Verify secret** and this time, it says **secret inactive**. This is a good candidate to **Close as** --> **Revoked**.
157
+
3. You can click on **Verify secret**. It will say it's not currently valid on `github.com`, but that doesn't mean it doesn't come from another GitHub instance (such as GitHub Enterprise Server).
158
+
4. Go back to list of secret scanning alerts. Click on the **Google API key** alert.
159
+
5. Click on **Verify secret** again. This time, it should say **secret inactive**. This is a good candidate to **Close as** --> **Revoked** (click the **Close as** button in the upper right to do so). Do this.
165
160
- Unlike Dependabot alerts and Code Scanning alerts, secret scanning alerts are not automatically closed when the secret is removed from the code - whether by a new commit or by re-writing history. This is because the secret was exposed and you don't know who may have seen it. So, you have to manually close the alert once you revoke the token.
161
+
6. Navigate back to the **Default** secret alerts list.
162
+
7. We can click **1 Closed** to see the alert we just closed.
166
163
167
164
<details>
168
165
169
166
</details>
170
167
168
+
8. Click on the **Experimental** secret scanning alerts option. This will show all of the alerts that are not high confidence, such as generic passwords, keys, and things such as HTTP bearer authentication header tokens found in the code.
169
+
9. Let's click into one of the **Password** alerts.
170
+
171
+
<details>
172
+
173
+
</details>
174
+
175
+
10. Just like high confidence secret scanning alerts, it shows where the secret was found in the code. The secret was found with AI, so it may or may not be a real secret or password. If it's not, we can close it manually and mark it as a false positive.
0 commit comments