You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: _labs/lab1.md
+10-9Lines changed: 10 additions & 9 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -12,12 +12,12 @@ This lab covers parts of the following exam domains:
12
12
13
13
We need to provision our working copy of the repository in order to begin the labs!
14
14
15
-
1. Navigate to URL: [https://github.com/joshjohanning-org/juice-shop-ghas-workshop](https://github.com/joshjohanning-org/juice-shop-ghas-workshop)TODO: update URL with universe repo
16
-
2. Click on the **Use this template ▾** button.
17
-
3. Make sure you have the **githubuniverseworkshops** organization selected.
15
+
1. Navigate to URL: [https://github.com/ghuwsec1953/juice-shop-ghas-workshop](https://github.com/ghuwsec1953/juice-shop-ghas-workshop)
16
+
2. Click on the **Use this template ▾** button and select **Create a new repository**.
17
+
3. Make sure you have the **ghuwsec1953** organization selected as the **Owner**.
18
18
4. Name the repository **YOUR_USERNAME-juice-shop-ghas-workshop**.
19
-
5.❗️❗️ Make sure to check the box to **Include all branches**. The other branches are required in order to complete the workshop. ❗️❗️
20
-
6. Click the green **Create repository** button to create the repository
19
+
5.Set the repository visibility to **Internal**.
20
+
6. Click the green **Create repository** button to create the repository.
21
21
22
22
Once the repository is created, you will be automatically redirected to it. Continue on to Exercise 2.
23
23
@@ -40,9 +40,10 @@ In this exercise, you will be guided through the process of enabling the remaini
40
40
### Exercise 2.2: Enable Code Scanning
41
41
42
42
1. Next, let's enable **Code Scanning with CodeQL**. These settings are also under the **Code security** settings page.
43
-
2. Underneath the GitHub Advanced Security | Code Scanning heading, click the **Set up** button in the **CodeQL analysis** row.
44
-
3. There are two options: **Default** and **Advanced**. For this lab, we will use the **Default** setup which creates a workflow behind the scenes (i.e. you will not see it committed to the repo). You can use the Advanced option to manage your code scanning workflow as a GitHub Actions workflow YAML file committed to the repo.
45
-
4. Select the **Default** option, review the settings. By default, we will scan the JavaScript code, use the default CodeQL queries (for highest precision), and scan the default branch on push, pull request, and on a weekly schedule.
43
+
2. Click the **Enable** button next to GitHub Advanced Security if it is not enabled. If prompted, then click the **Enable GitHub Advanced Security for this repository** button.
44
+
3. Underneath the GitHub Advanced Security | Code Scanning heading, click the **Set up** button in the **CodeQL analysis** row.
45
+
4. There are two options: **Default** and **Advanced**. For this lab, we will use the **Default** setup which creates a workflow behind the scenes (i.e. you will not see it committed to the repo). You can use the Advanced option to manage your code scanning workflow as a GitHub Actions workflow YAML file committed to the repo.
46
+
5. Select the **Default** option and review the settings. By default, we will scan the JavaScript code (it may suggest Python as well), use the default CodeQL queries (for highest precision), and scan the default branch on push, pull request, and on a weekly schedule.
46
47
47
48
<details>
48
49
<imgsrc="images/lab-1-2-1.png"/>
@@ -68,7 +69,7 @@ In this exercise, you will be guided through the process of enabling the remaini
68
69
### Exercise 2.3: Enable Secret Scanning
69
70
70
71
1. If it's not already enabled, click on the **Enable** button to enable Secret Scanning.
71
-
2. Check the box to **Use AI detection to find additional secrets (beta)**. This feature uses AI to find secrets/passwords that may be in your code that don't correspond to a known provider pattern.
72
+
2. Check the box to **Scan for generic secrets**. This feature uses AI to find secrets/passwords that may be in your code that don't correspond to a known provider pattern.
72
73
3. Click the **Enable** button next to the **Validity checks** setting. This feature checks if the secret is still valid for [specific partners](https://docs.github.com/en/enterprise-cloud@latest/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#high-confidence-patterns), such as AWS and, of course, GitHub. As an example, you can use this feature to check if a GitHub personal access token found in the repo is still valid and needs to be revoked.
73
74
4. Click the **Enable** button next to the **Non-provider patterns** setting. This scans for patterns that don't correspond to partners but still have a common syntax, such as a MySQL or MongoDB connection string.
74
75
5. Click the **Enable** button next to the "Push protection" setting. This feature will block pushes that contain high-precision secrets. You can use this [chart](https://docs.github.com/en/enterprise-cloud@latest/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#supported-secrets) to determine which types of secrets would be blocked with secret scanning push protection enabled.
0 commit comments