Add security overview and custom patterns extra credit

felickz · web-flow · commit b9d9aadc7e08 · 2024-11-06T20:25:37.000-05:00
diff --git a/README.md b/README.md
@@ -59,11 +59,28 @@ This lab will have you utilize Secret Scanning with Push Protection to prevent s
 
 ---
 
+### Lab 6 - Hands-on with Security Overview
+
+This lab will teach you how to effectively use the Security Overview to review and alerts and coverage in an organization.
+
+- Get started here - [Lab 6](./_labs/lab6.md)
+
+---
+
+
 ### Extra Credit: Advanced CodeQL Setup
 
 This open-ended extra credit lab will have you switch to the advanced CodeQL setup.
 
-- Get started here - [Extra Credit Lab 1](./_labs/lab6-ec.md)
+- Get started here - [Extra Credit Lab 1](./_labs/lab7-ec.md)
+
+---
+
+### Extra Credit: Custom Patterns for Secret Scanning
+
+This open-ended extra credit lab will have you create a custom secret scanning pattern.
+
+- Get started here - [Extra Credit Lab 2](./_labs/lab8-ec.md)
 
 ---
 
diff --git a/_labs/lab6.md b/_labs/lab6.md
@@ -0,0 +1,48 @@
+# Lab 6 - Hands-on with Security Overview
+
+We've covered how to review alerts in a single repository, but how is your org or team doing? Next, we'll check out the Security Overview at the organizational level to see how we can get a high-level view of the security posture of our organization.
+
+This lab covers parts of the following exam domains:
+
+- Domain 6: Describe GitHub Advanced Security best practices
+
+## Exercise 1: Navigating to Security Overview
+
+The Security Overview can be used by anyone inside of an organization; it shows repositories that **you** have access to. If you are an org owner or a security manager, you would see all alerts. If you are a regular org member, you would only see alerts for repositories by default that you have write access to.
+
+> [!NOTE]
+> Security alerts for a repository are visible to people with write, maintain, or admin access to the repository and, when the repository is owned by an organization, organization owners. You can give additional teams and people access to the alerts.
+1. Navigate to the organization. You can do so by **clicking on the org name** (`Ignite24-Labs`) in the repository breadcrumbs in the upper left hand corner.
+    - You can also navigate to your orgs by clicking on your profile picture and "**Your organizations**"
+2. Click on the **Security** tab.
+3. Review (and click on!) the different views on the left-hand side:
+    - Overview: visualize trends in Detection, Remediation, and Prevention of security alerts ([docs](https://docs.github.com/en/enterprise-cloud@latest/code-security/security-overview/viewing-security-insights#about-security-insights))
+    - Risk: explore the risk from security alerts of all types or focus on a single alert type and identify your risk from specific vulnerable dependencies, code weaknesses, or leaked secrets ([docs](https://docs.github.com/en/enterprise-cloud@latest/code-security/security-overview/assessing-code-security-risk))
+    - Coverage: assess the adoption of code security features across repositories in the organization ([docs](https://docs.github.com/en/enterprise-cloud@latest/code-security/security-overview/assessing-adoption-code-security))
+    - Enablement trends: see how quickly different teams are adopting security features
+    - CodeQL pull request alerts: assess the impact of running CodeQL on pull requests and how development teams are resolving code scanning alerts ([docs](https://docs.github.com/en/enterprise-cloud@latest/code-security/security-overview/viewing-metrics-for-pull-request-alerts))
+    - Secret scanning: find out which types of secret are blocked by push protection and which teams are bypassing push protection ([docs](https://docs.github.com/en/enterprise-cloud@latest/code-security/security-overview/viewing-metrics-for-secret-scanning-push-protection))
+
+> [!TIP]
+> You can export a CSV of nearly from most of these views using the **Export CSV** button in the upper right.
+4. Under the **Overview** view, navigate the sub-views, specifically **Detection** and **Remediation**.
+    - Note the trends - this is useful information to evaluate the security posture of your organization. Are we getting better over time?
+    - Being secure requires "constant vigilance"
+5. Navigate to the **Risk** view.
+6. On the right-hand side, click the **Teams ▾** button/dropdown.
+7. Click on the **all users** team - this team is only added to a different sample repo, so note how the total alerts changes.
+    - This can be really useful for a manager, architect, or developer to see which repositories assigned to the teams have security features enabled and how many alerts they are generating.
+8. At the bottom of the options on the left, you will see **Security Campaigns**.
+    - Security campaigns are a new feature designed to help administrators and security managers create targeted campaigns and track remediation progress effectively.
+9. ⚠️ Please don't create a new security campaign as to not introduce noise to your fellow attendees ⚠️, but click on the existing campaign here (**SQL injection (CWE-89)**) to check it out!
+    - How are we doing on our goal?
+
+## Summary
+
+That's the security overview! Use these views to monitor and manage your security posture effectively. By leveraging the detailed insights provided in each section, you can identify potential threats, take proactive measures, and ensure your systems remain secure.
+
+If you want to learn more about the security overview or about what a particular view shows, check out the [docs](https://docs.github.com/en/enterprise-cloud@latest/code-security/security-overview/about-security-overview)!
+
+Congrats, you have finished all of the main labs! 🎉 If you have time or are up for a challenge, try out the extra credit labs!
+
+➡️ Head back to the [labs](README.md) page to try your hand at the extra credit labs.
diff --git a/_labs/lab7-ec.md b/_labs/lab7-ec.md
diff --git a/_labs/lab8-ec.md b/_labs/lab8-ec.md
@@ -0,0 +1,23 @@
+# Extra Credit - Lab 8 - Custom Patterns for Secret Scanning
+
+We are just using the out of the box secret scanning settings. Perhaps you are interested in finding other patterns, such as credit card patterns, committed in the code.
+
+
+## Exercise
+
+Your assignment here is to implement a secret scanning custom pattern. You can start under the **Settings** --> **Code Security and Analysis** page.
+
+If you are looking for an example of what to search for, we suggest creating a pattern for finding a credit card! A developer may or may not have accidentally committed customer credit card numbers to the repository and we need to alert on this.
+
+Create a pattern, run a dry-run, and hopefully you find the pattern! If so, save the custom secret scanning pattern to implement.
+
+
+> [!TIP]
+> AI can help you get started generating those pesky regular expressions using natural language.  Look for the **Generate with AI** button in the top right corner.
+> For increased precision, you can check out [examples for custom patterns for secret scanning](https://github.com/advanced-security/secret-scanning-custom-patterns/tree/main?tab=readme-ov-file#personally-identifiable-information-pii), including a credit card example (under PII), in the [advanced-security/secret-scanning-custom-patterns](https://github.com/advanced-security/secret-scanning-custom-patterns/tree/main?tab=readme-ov-file#personally-identifiable-information-pii) repo!
+
+## Summary
+
+In this lab, you should have identified the credit card number that was accidentally committed. Custom secret scanning patterns offer an excellent way to implement additional scanning patterns that are crucial for your organization!
+
+➡️ Head back to the [labs](README.md) page.
