Merge pull request #5 from ghuwsec1953/add-labs

Add labs

Author: Admin-02 SecW01

README.md

@@ -59,6 +59,30 @@ This lab will have you utilize Secret Scanning with Push Protection to prevent s
 
 ---
 
+### Lab 6 - Hands-on with Security Overview
+
+This lab will teach you how to effectively use the Security Overview to review and alerts and coverage in an organization.
+
+- Get started here - [Lab 6](./_labs/lab6.md)
+
+---
+
+### Extra Credit: Advanced CodeQL Setup
+
+This open-ended extra credit lab will have you switch to the advanced CodeQL setup.
+
+- Get started here - [Extra Credit Lab 1](./_labs/lab7-ec.md)
+
+---
+
+### Extra Credit: Custom Secret Scanning Patterns
+
+This open-ended extra credit lab will have you create a custom secret scanning pattern.
+
+- Get started here - [Extra Credit Lab 2](./_labs/lab8-ec.md)
+
+---
+
 ## :book: Resources
 - [GitHub Docs - About GitHub Advanced Security](https://docs.github.com/en/get-started/learning-about-github/about-github-advanced-security)
 - [GitHub Security Learning Pathway](https://resources.github.com/learn/pathways/security/)

_labs/README.md

@@ -5,3 +5,6 @@
 3. [Lab 3 - Hands-on with Code Scanning (blocking vulnerable code from entering codebase and Copilot Autofix)](./lab3.md)
 4. [Lab 4 - Hands-on with Dependency Review (blocking vulnerable dependencies from entering codebase)](./lab4.md)
 5. [Lab 5 - Hands-on with Secret Scanning (secret scanning with push protections)](./lab5.md)
+6. [Lab 6 - Hands-on with Security Overview](./lab6.md)
+7. [Extra credit: Advanced CodeQL Setup](./lab7-ec.md)
+8. [Extra credit: Custom Secret Scanning Patterns](./lab8-ec.md)

_labs/images/lab-3-2-2.png

@@ -8,27 +8,14 @@ This lab covers parts of the following exam domains:
 - Domain 3: Configure and use dependency management
 - Domain 4: Configure and use code scanning
 
-## Exercise 1: Create the repository
-
-We need to provision our working copy of the repository in order to begin the labs!
-
-1. Navigate to URL: [https://github.com/ghuwsec1953/juice-shop-ghas-workshop](https://github.com/ghuwsec1953/juice-shop-ghas-workshop)
-2. Click on the **Use this template ▾** button and select **Create a new repository**.
-3. Make sure you have the **ghuwsec1953** organization selected as the **Owner**.
-4. Name the repository **YOUR_USERNAME-juice-shop-ghas-workshop**.
-5. Set the repository visibility to **Internal**.
-6. Click the green **Create repository** button to create the repository.
-
-Once the repository is created, you will be automatically redirected to it.  Continue on to Exercise 2.
-
 > [!TIP]
 > We recommend opening up two browser windows, one with the lab and one with the working copy of your repo!
 
-## Exercise 2: Enabling the security settings
+## Exercise 1: Enabling the security settings
 
 In this exercise, you will be guided through the process of enabling the remaining GHAS features. Then you will be shown how to use the features to secure your code.
 
-### Exercise 2.1: Enable Dependabot
+### Exercise 2: Enable Dependabot
 
 Although Dependabot isn't part of the GitHub Advanced Security product suite, it is still an important tool to discuss from an overall security posture.
 
@@ -44,7 +31,7 @@ Although Dependabot isn't part of the GitHub Advanced Security product suite, it
   <img src="images/lab-1-1-1.png"/>
 </details>
 
-### Exercise 2.2: Enable Code Scanning
+### Exercise 3: Enable Code Scanning
 
 1. Next, let's enable **Code Scanning with CodeQL**. These settings are also under the **Code security** settings page.
 2. Click the **Enable** button next to GitHub Advanced Security.
@@ -76,7 +63,7 @@ Although Dependabot isn't part of the GitHub Advanced Security product suite, it
 
 7. Optionally, configure the **Check runs failure threshold** - by default, a pull request will be blocked if there are any high or higher security alerts.
 
-### Exercise 2.3: Enable Secret Scanning
+### Exercise 4: Enable Secret Scanning
 
 1. Click on the **Enable** button to enable Secret Scanning.
 2. Check the box to **Scan for generic secrets**. This feature uses AI to find secrets/passwords that may be in your code that don't correspond to a known provider pattern.

_labs/images/lab-3-2-3.png

@@ -95,26 +95,19 @@ Without a ruleset (GitHub's new version of branch protections), even though Code
     1. Give the ruleset a **name** (any name is fine)
     2. Change the **enforcement status** to **Active**.
     3. Under **target branches**, click **Add target** and select **Include default branch**.
-    4. Scroll down and check the **Require status checks to pass** box
-    5. Click on the **+ Add checks ▾** button
-    6. Search for **CodeQL**. We should see a suggested **CodeQL** check show up with **GitHub Advanced Security** text to the right. Add it.
+    4. Scroll down and check the **Require code scanning results** box
+    5. The CodeQL tool should already be there - there's nothing to change
+5. Scroll down and click the **Create** button.
 
 <details>
   <img src="images/lab-3-2-2.png"/>
 </details>
 
-5. Let's also search for **Analyze**. We should see a **Analyze (javascript-typescript)** check show up. Add it.
-6. Scroll down and click the **Create** button.
-
-<details>
-  <img src="images/lab-3-2-3.png"/>
-</details>
-
 7. With the ruleset created, both the JavaScript scan has to finish and no vulnerabilities found with CodeQL in order to merge the code.
 8. Navigate back to our open PR. The **Merge pull request** button should now be grayed out, preventing us from merging vulnerable code.
 
 <details>
-  <img src="images/lab-3-2-4.png"/>
+  <img src="images/lab-3-2-3.png"/>
 </details>
 
 9. Review the **Copilot Autofix suggestion** - it offers a similar suggestion to what Copilot in our IDE did!

_labs/images/lab-3-2-4.png

@@ -42,3 +42,5 @@ This lab covers parts of the following exam domains:
 Celebrate 🎉! We just prevented a secret from entering our codebase!
 
 And there you have it. You should now have a good grasp on what GitHub Advanced Security is, how it works, and how to implement it. So get out there and keep your company secured!
+
+➡️ Head back to the [labs](README.md) page to continue on to the next lab.

_labs/lab1.md

@@ -0,0 +1,50 @@
+# Lab 6 - Hands-on with Security Overview
+
+We've covered how to review alerts in a single repository, but how is your org or team doing? Next, we'll check out the Security Overview at the organizational level to see how we can get a high-level view of the security posture of our organization.
+
+This lab covers parts of the following exam domains:
+
+- Domain 6: Describe GitHub Advanced Security best practices
+
+## Exercise 1: Navigating to Security Overview
+
+The Security Overview can be used by anyone inside of an organization; it shows repositories that you have access to. If you are an org owner or a security manager, you would see all alerts. If you are a regular org member, you would only see alerts for repositories by default that you have write access to.
+
+> [!NOTE]
+> Security alerts for a repository are visible to people with write, maintain, or admin access to the repository and, when the repository is owned by an organization, organization owners. You can give additional teams and people access to the alerts.
+
+1. Navigate to the organization. You can do so by **clicking on the org name** (`ghuwsec1953`) in the repository breadcrumbs in the upper left hand corner.
+    - You can also navigate to your orgs by clicking on your profile picture and "**Your organizations**"
+2. Click on the **Security** tab.
+3. Review (and click on!) the different views on the left-hand side:
+    - Overview: visualize trends in Detection, Remediation, and Prevention of security alerts ([docs](https://docs.github.com/en/enterprise-cloud@latest/code-security/security-overview/viewing-security-insights#about-security-insights))
+    - Risk: explore the risk from security alerts of all types or focus on a single alert type and identify your risk from specific vulnerable dependencies, code weaknesses, or leaked secrets ([docs](https://docs.github.com/en/enterprise-cloud@latest/code-security/security-overview/assessing-code-security-risk))
+    - Coverage: assess the adoption of code security features across repositories in the organization ([docs](https://docs.github.com/en/enterprise-cloud@latest/code-security/security-overview/assessing-adoption-code-security))
+    - Enablement trends: see how quickly different teams are adopting security features
+    - CodeQL pull request alerts: assess the impact of running CodeQL on pull requests and how development teams are resolving code scanning alerts ([docs](https://docs.github.com/en/enterprise-cloud@latest/code-security/security-overview/viewing-metrics-for-pull-request-alerts))
+    - Secret scanning: find out which types of secret are blocked by push protection and which teams are bypassing push protection ([docs](https://docs.github.com/en/enterprise-cloud@latest/code-security/security-overview/viewing-metrics-for-secret-scanning-push-protection))
+
+> [!TIP]
+> You can export a CSV of nearly from most of these views using the **Export CSV** button in the upper right.
+
+4. Under the **Overview** view, navigate the sub-views, specifically **Detection** and **Remediation**.
+    - Note the trends - this is useful information to evaluate the security posture of your organization. Are we getting better over time?
+    - Being secure requires "constant vigilance"
+5. Navigate to the **Risk** view.
+6. On the right-hand side, click the **Teams ▾** button/dropdown.
+7. Click on the **all users** team - this team is only added to a different sample repo, so note how the total alerts changes.
+    - This can be really useful for a manager, architect, or developer to see which repositories assigned to the teams have security features enabled and how many alerts they are generating.
+8. At the bottom of the options on the left, you will see **Security Campaigns**.
+    - Security campaigns are a new feature designed to help administrators and security managers create targeted campaigns and track remediation progress effectively.
+9. ⚠️ Please don't create a new security campaign as to not introduce noise to your fellow attendees ⚠️, but click on the existing campaign here (**SQL injection (CWE-89)**) to check it out!
+    - How are we doing on our goal?
+
+## Summary
+
+That's the security overview! Use these views to monitor and manage your security posture effectively. By leveraging the detailed insights provided in each section, you can identify potential threats, take proactive measures, and ensure your systems remain secure.
+
+If you want to learn more about the security overview or about what a particular view shows, check out the [docs](https://docs.github.com/en/enterprise-cloud@latest/code-security/security-overview/about-security-overview)!
+
+Congrats, you have finished all of the main labs! 🎉 If you have time or are up for a challenge, try out the extra credit labs!
+
+➡️ Head back to the [labs](README.md) page to try your hand at the extra credit labs.

_labs/lab3.md

@@ -0,0 +1,35 @@
+# Extra Credit - Lab 7 - Advanced CodeQL Setup
+
+We set up Code Scanning with CodeQL using the default method. Now, let's try using the **[advanced setup](https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/configuring-advanced-setup-for-code-scanning)**!
+
+This extra credit lab covers parts of the following exam domains:
+
+- Domain 4: Configure and use code scanning
+- Domain 5: Use code scanning with CodeQL
+- Domain 6: Describe GitHub Advanced Security best practices
+
+## Exercise
+
+Why might you want to use the advanced setup? Here are some reasons:
+
+- More control over triggers and schedule
+- When pulling in packages from a private feed, you may have to provide instructions on authorizing to the NuGet, NPM, Maven, etc. feed.
+- For compiled languages, providing more instructions on how to build the code
+- Ability to customize your runners TODO: is this true? i think you can use code-scanning label with default workflow but i cannot remember
+- Ability to customize the CodeQL configuration (such as query suites used)
+- Manage code scanning settings "as code"
+- Utilize 3rd party code scanning tooling
+
+### Assignment
+
+Your assignment here is to switch to the **[advanced setup](https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/configuring-advanced-setup-for-code-scanning)**. You can start under the **Settings** --> **Code Security and Analysis** page.
+
+Your goal is to have a CodeQL workflow committed that successfully scans your code. Pay attention to some of the configuration options for the CodeQL scanning action. Refer to the documentation for more details.
+
+TODO: add link
+
+## Summary
+
+TODO: add content
+
+➡️ Head back to the [labs](README.md) page.