You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: _labs/lab2.md
+12-17Lines changed: 12 additions & 17 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -121,7 +121,7 @@ Now that we have all of the security feature enabled, let's review the security
121
121
11. It will take a little time (30-60s) to generate a suggestion. Wait for it to finish.
122
122
12. If you're happy with the suggestion, click the **Commit to a new branch** button.
123
123
13. Accept the defaults and click **Commit change**.
124
-
14. This will create a draft pull request with the fix for the vulnerability. In a real world example, assuming your build and tests pass, you would move the PR out of a draft state, having someone on your team review it, and then merge the change.
124
+
14. This will create a `draft` pull request with the fix for the vulnerability. In a real world example, assuming your build and tests pass, you would move the PR out of a draft state, having someone on your team review it, and then merge the change.
125
125
- The nice thing with code scanning alerts (just like Dependabot alerts) is that once you merge the code that resolves an alert, the alert will be automatically closed. This is because the alert is no longer present in the code.
126
126
127
127
<details>
@@ -143,36 +143,31 @@ Now that we have all of the security feature enabled, let's review the security
143
143
144
144
## Exercise 3: Reviewing Secret Scanning alerts
145
145
146
-
1. Under the **Security** tab in the repo, click on the **Secret scanning** --> **Default** option. This will show all of the default secret scanning alerts.
147
-
2. You should see a number of alerts. For example, there should be a **GitHub Personal Access token alert**. Click it.
146
+
1. Since this is a brand new fork of a public repo, you will not have any secrets detected. The next few steps we will review what you would see if we had any secrets detected (optional steps in Lab 5.)
147
+
148
+
2. Under the **Security** tab in the repo, click on the **Secret scanning** view. This will show all of the secret scanning alerts. (This should be empty for you.)
149
+
150
+
<details>
151
+
<imgsrc="images/lab-2-3-1.png"/>
152
+
</details>
153
+
154
+
3. Viewing a secret scanning alert shows details about the leak
148
155
- This page shows where in the code the secret was discovered (if there were multiple locations, it would list them all).
149
156
- If a secret is found in the code, we would want to revoke manually in the designated service.
150
157
- It's recommended to revoke the secret instead of rewriting history because the secret was exposed and you don't know who may have seen it.
151
158
- If you re-write history, the secret will still be valid and could be used by an attacker. Also, re-writing history modifies commit hashes and can make traceability more difficult.
152
159
153
160
<details>
154
-
<imgsrc="images/lab-2-3-1.png"/>
161
+
<imgsrc="images/lab-2-3-4.png"/>
155
162
</details>
156
163
157
-
3. You can click on **Verify secret**. It will say it's not currently valid on `github.com`, but that doesn't mean it doesn't come from another GitHub instance (such as GitHub Enterprise Server).
158
-
4. Go back to list of secret scanning alerts. Click on the **Google API key** alert.
159
-
5. Click on **Verify secret** again. This time, it should say **secret inactive**. This is a good candidate to **Close as** --> **Revoked** (click the **Close as** button in the upper right to do so). Do this.
164
+
4. If you view an alert and choose **Verify secret** and this time, it says **secret inactive**. This is a good candidate to **Close as** --> **Revoked**.
160
165
- Unlike Dependabot alerts and Code Scanning alerts, secret scanning alerts are not automatically closed when the secret is removed from the code - whether by a new commit or by re-writing history. This is because the secret was exposed and you don't know who may have seen it. So, you have to manually close the alert once you revoke the token.
161
-
6. Navigate back to the **Default** secret alerts list.
162
-
7. We can click **1 Closed** to see the alert we just closed.
163
166
164
167
<details>
165
168
<imgsrc="images/lab-2-3-2.png"/>
166
169
</details>
167
170
168
-
11. Click on the **Experimental** secret scanning alerts option. This will show all of the alerts that are not high confidence, such as generic passwords, keys, and things such as HTTP bearer authentication header tokens found in the code.
169
-
12. Let's click into one of the **Password** alerts.
170
-
171
-
<details>
172
-
<imgsrc="images/lab-2-3-3.png"/>
173
-
</details>
174
-
175
-
13. Just like high confidence secret scanning alerts, it shows where the secret was found in the code. The secret was found with AI, so it may or may not be a real secret or password. If it's not, we can close it manually and mark it as a false positive.
0 commit comments