Merge pull request #4 from githubtraining/hectorsector-runthrough

Fixes from a full run-through

Author: hectorsector

config.yml

@@ -48,7 +48,7 @@ steps:
         with: 01_closed-issue.md
         data:
           url: '%actions.firstIssue.data.html_url%'
-          pages: '%actions.pagesUrl.data.html_url%'
+          pagesUrl: '%actions.pagesUrl.data.html_url%'
 
   # Step 2
   # Learner comments on issue with the recommended updated version
@@ -82,7 +82,7 @@ steps:
         right: '%actions.fileContents%'
         else:
         - type: respond
-          issue: 4
+          issue: Update the vulnerable dependency
           with: 03_adding-bad-changes.md
       - type: removeBranchProtection
       - type: respond
@@ -111,7 +111,7 @@ steps:
           with: 04_accidental-close.md
       - type: updateBranchProtection
       - type: createIssue
-        title: Add dependabot to your repository
+        title: Add Dependabot to your repository
         body: 04_add-dependabot.md #dependabot issue body response
         action_id: dependabotIssue
       - type: respond
@@ -123,8 +123,8 @@ steps:
   # Learner installs dependabot on repository and closes the issue
   # Bot creates new issue about adding a security policy with suggested information about the security policy. Prompts learner to merge when ready
 
-  - title: Enable dependabot
-    description: Install dependabot on your repository.
+  - title: Enable Dependabot
+    description: Install Dependabot on your repository.
     event: issues.closed
     link: '{{ repoUrl }}/issues/5'
     actions:
@@ -133,7 +133,7 @@ steps:
       body: 05_add-security-policy.md #security policy issue body (add branch name instructions and examples)
       action_id: securityIssue
     - type: respond
-      issue: 5
+      issue: Add Dependabot to your repository
       with: 05_successful-close.md #link to security issue
       data:
         url: '%actions.securityIssue.data.html_url%'
@@ -170,7 +170,7 @@ steps:
         head: add-wolverine-image
         action_id: addWolverine
       - type: respond
-        issue: 8
+        issue: '%actions.addWolverine.data.number%'
         with: 06_remove-sensitive-commit.md
       - type: respond
         with: 06_good-merge.md
@@ -196,14 +196,14 @@ steps:
       action_id: prFiles
     - type: gate
       left: '%actions.prFiles.data%'
-      operator: includes
+      operator: '!includes'
       right: 'filename:.env'
       required: false
       else:
       - type: respond
-        with: 07_success-file-change.md #failed response to remove .env file
+        with: 07_error-file-change.md #success response to remove .env file | Add note about contacting support for garbage collection
     - type: respond
-      with: 07_error-file-change.md #success response to remove .env file | Add note about contacting support for garbage collection
+      with: 07_success-file-change.md #failed response to remove .env file
 
   # Step 9
   # Learner approves PR
@@ -229,7 +229,7 @@ steps:
         head: add-gitignore
         action_id: addGitignore
       - type: respond
-        issue: 8
+        issue: Add wolverine octocat to game
         with: 08_go-to-gitignore.md # Bot response to new PR
         data:
           url: '%actions.addGitignore.data.html_url%'
@@ -298,7 +298,7 @@ steps:
     link: '{{ repoUrl }}/issues/10'
     actions:
       - type: gate
-        left: '848cd8c2043f6161a4f0043bffee212777281494'
+        left: '848cd8'
         operator: test
         right: '%payload.comment.body%'
         else:
@@ -319,25 +319,25 @@ steps:
     link: '{{ repoUrl }}/issues/10'
     actions:
       - type: gate
-        left: '848cd8c, 56d6fbb'
-        operator: test
+        left: '/(848cd8c)|(56d6fbb)/g'
+        operator: '!test'
         right: '%payload.comment.body%'
         else:
-          - type: octokit
-            method: repos.getPages
-            owner: '%payload.repository.owner.login%'
-            repo: '%payload.repository.name%'
-            action_id: pagesUrl
-          - type: createIssue
-            title: Congratulations!
-            body: 12_final-issue.md
-            data:
-              url: '%actions.pagesUrl.data.html_url%'
-            action_id: finalIssue
-          - type: updateBranchProtection
-          - type: respond
-            with: 12_correct-references-removed.md # replace with nice job removing .env file response
-            data:
-              url: '%actions.finalIssue.data.html_url%'
+        - type: respond
+          with: 12_try-again-response.md
+      - type: octokit
+        method: repos.getPages
+        owner: '%payload.repository.owner.login%'
+        repo: '%payload.repository.name%'
+        action_id: pagesUrl
+      - type: createIssue
+        title: Congratulations!
+        body: 12_final-issue.md
+        data:
+          pagesUrl: '%actions.pagesUrl.data.html_url%'
+        action_id: finalIssue
+      - type: updateBranchProtection
       - type: respond
-        with: 12_try-again-response.md
+        with: 12_correct-references-removed.md # replace with nice job removing .env file response
+        data:
+          url: '%actions.finalIssue.data.html_url%'

responses/00_introduction-issue.md

@@ -1,16 +1,16 @@
-## :tada: Welcome to Security strategy essentials!
+## :tada: Welcome to security strategy essentials!
 
-In this course, you'll learn how to build and host a secure repository in GitHub.  A secure repository is important for many reasons.
+In this course, you'll learn how to build and host a secure repository in GitHub.  A secure repository is important for many reasons, including:
 - Prevents exposing sensitive data
 - Enforces secure development best practices
-- Guards against unintended access rights permissions
+- Guards against unintended access rights and permissions
 
 In this course you will learn how to:
 
-- Opt-in to vulnerability alerts for private repositories
-  - _Note: These security settings are default for public repositories that are not forks._
-- Detect and fix vulnerable dependencies when notified by a vulnerability alert
-- Automate outdated dependency detection with dependabot
+- Opt-in to security alerts for private repositories
+  - _Note: Vulnerability monitoring and security alerts are enabled by default for public repositories that are not forks._
+- Fix vulnerable dependencies when notified by a security  alert
+- Automate security fixes with Dependabot
 - Follow security best practices to protect sensitive data by using a `.gitignore` file
 - Remove sensitive data and files committed to a repository
 

responses/01_find-vulnerabilities.md

@@ -1,16 +1,16 @@
 ## Finding vulnerable dependencies
 
-Security vulnerabilities can cause a range of problems for your project or the people who use it.  A vulnerability could affect the confidentiality, integrity, or availability of a project.  Sometimes vulnerabilities aren't in the code you write, but in the code your project depends on. Staying up-to-date with the most recent versions is the best line of defense.
+Security vulnerabilities can cause a range of problems for your project or the people who use it.  A vulnerability could affect the confidentiality, integrity, or availability of a project.  Sometimes vulnerabilities aren't in the code you write, but in the code your project depends on. Staying up-to-date with the most recent versions is the best line of defense, but has the potential to cause integration issues, so GitHub alerts you of the safest next-version of a dependency.
 
 This repository has some existing dependencies which will need updating to stay secure.
 
 <details>
   <summary>How can we identify dependencies and if they are vulnerable?</summary>
   <hr>
 
-This repository is a Node.js project utilizing NPM. Because of that, the `package.json` defines this repository's dependencies.  For our time together, we'll be focusing on these JavaScript dependencies. Keep in mind that different programming languages may have different dependency files. You might work with a `Gemfile`, `Gemfile.lock`, `*.gemspec`, `requirements.txt`, `pipfile.lock`, or other files.
+This repository is a Node.js project utilizing NPM. Because of that, [`package.json`]({{ repoUrl }}/blob/master/package.json) defines this repository's dependencies.  For our time together, we'll be focusing on these JavaScript dependencies. Keep in mind that different programming languages may have different dependency manifests. You might work with a `Gemfile`, `Gemfile.lock`, `*.gemspec`, `requirements.txt`, `pipfile.lock`, or other files.
 
-How can we know these dependencies are secure? It's not always easy, but GitHub is watching out.
+How can we know these dependencies are secure? GitHub monitors a number of reputable [data sources](https://help.github.com/en/github/managing-security-vulnerabilities/about-security-alerts-for-vulnerable-dependencies#data-sources-for-security-alerts) to track vulnerabilities across projects.
 
   <hr>
 </details>
@@ -21,9 +21,9 @@ You may notice some alerts from GitHub about this repository. You may get an ema
 
 ![dependency vulnerability alert](https://user-images.githubusercontent.com/9906718/46882979-c275b680-ce50-11e8-9f47-2081daf20b98.png)
 
-GitHub tracks public vulnerabilities in Ruby gems, NPM, Python, Java, and .Net packages.
+GitHub tracks vulnerabilities for a number of [supported languages](https://help.github.com/en/github/visualizing-repository-data-with-graphs/listing-the-packages-that-a-repository-depends-on#supported-languages) and their associated package managers, including RubyGems, NPM, Python PIP, Maven, and Nuget.
 
-GitHub receives a notification of a newly-announced vulnerability. Next, we check for repositories that use the affected version of that dependency. We send security alerts to a set of people within those affected repositories. The owners are contacted by default. But, it's possible to configure specific teams or individuals to get these important notifications.
+GitHub receives a notification of a newly-announced vulnerability. Next, we check for repositories that use the affected version of that dependency. We send security alerts to a set of people within those affected repositories. The owners are contacted by default and it's possible to configure specific teams or individuals to get these important notifications.
 
 **GitHub never publicly discloses identified vulnerabilities for any repository.**
 

responses/03_good-pr.md

@@ -2,7 +2,7 @@
 
 Great job, @{{ user.username }}, your pull request looks good. Thank you for fixing the vulnerable dependency!
 
-_Note: You might notice that this repository has a `package.json` file, but no `package-lock.json` file. We are doing all parts of this activity on GitHub.com. If you work with other repositories, you might notice some differences. Regardless of what dependency files you use, the main concepts of this course still apply._
+_Note: You might notice that this repository has a `package.json` file, but no `package-lock.json` file. In production code it's a good idea to have both files to avoid conflicts resolving the proper version of a dependency. For simplicity, we'll use only `package.json`, but GitHub monitors both files in addition to the gamut of supported languages and packages_
 
 ### :keyboard: Activity: Merge
 1. Merge this pull request.

responses/03_update-dependency.md

@@ -2,7 +2,7 @@
 
 Next, we'll go through the GitHub Flow to make some changes. If you aren't sure how to do this, try the [Introduction to GitHub course](https://lab.github.com/githubtraining/introduction-to-github) and then come back to give it another try.
 
-> _Note: Before doing this with real world code, make sure that the upgraded package works with your code. Good unit tests and CI (continuous integration) will help you update with confidence._
+> _Note: For production code, it's a good idea to do some integration testing to make sure that the upgraded package works with your code. Good unit tests and Continuous Integration (CI) will help you update with confidence. The Learning Lab course [GitHub Actions: Continuous Integration](https://lab.github.com/githubtraining/github-actions:-continuous-integration) can teach you how to set up CI!_
 
 ## Step 4: Updating dependency versions
 
@@ -12,5 +12,5 @@ Now that you know the recommended version, it's time to edit the `package.json`
 
 1. Within this pull request, go to **Files changed**.
 1. Click the ellipsis (`...`) in the right upper corner and click **Edit file** to edit the `package.json` file.
-1. Fix the vulnerability by updating to the latest version of the dependency that you took note of earlier.
+1. Fix the vulnerability by updating to the latest version of the dependency that you took note of earlier, version `2.6.9` of `debug`.
 1. Scroll down, and commit your change.

responses/04_add-dependabot.md

@@ -1,16 +1,18 @@
-## Automated dependency Updates with Dependabot
+## Automated dependency updates with Dependabot
 
 Manually going through your dependencies for alerts and outdated versions is tedious work. Let's automate this process!
 
-**Welcome to Dependabot**
+**Meet Dependabot**
 
 ![download](https://user-images.githubusercontent.com/6351798/67623352-53f86200-f7e1-11e9-957d-47bb009f030f.png)
 
 Dependabot creates pull requests to keep your dependencies secure and up-to-date!
 
 ### How does Dependabot work?
 
-1. Dependabot scans your repository and checks for updates or insecure requirements
+Dependabot is the actor for GitHub's automated security fixes. 
+
+1. GitHub uses the dependency graph and security alerts to scan your repository and notify you of potential dependency updates
 1. If any dependencies are out-of-date, Dependabot opens a pull request to update each one
 1. If tests pass, and the updated version looks good, you simply merge the pull request
 
@@ -22,16 +24,16 @@ You can enable automated security fixes for any repository that uses security al
 
 Here, we have a security alert on the **debug** dependency. Clicking on **debug** will show you the pull request created by Dependabot to update the dependency. We just updated to `2.6.9` but Dependabot noticed we are still outdated.
 
-Feel free to [**approve and merge this pull request**]({{ repoUrl }}/pull/4).
+If you navigate to your [pull requests]({{ repoUrl }}/pulls), you'll notice Dependabot has done its job and is trying to bump, or update, the version of `debug`. Feel free to **approve and merge the pull request**.
 
 <details>
   <summary>How to Install Dependabot if not enabled through automated security fixes</summary>
 
-    - Navigate to Dependabot on the [GitHub Marketplace](https://github.com/marketplace/dependabot-preview)
-    - Click the "Install it for free" button
-    - Follow on-screen instructions to add Dependabot to your GitHub profile
-    - When installing Dependabot, choose `Only select repositories` and choose this repository, {{ repoUrl }}
-    - On `app.dependabot.com`, under `repos you want to add`, select {{ repoUrl }} and click the `Add selected` button
+- Navigate to Dependabot on the [GitHub Marketplace](https://github.com/marketplace/dependabot-preview)
+- Click the "Install it for free" button
+- Follow on-screen instructions to add Dependabot to your GitHub profile
+- When installing Dependabot, choose `Only select repositories` and choose this repository, {{ repoUrl }}
+- On `app.dependabot.com`, under `repos you want to add`, select {{ repoUrl }} and click the `Add selected` button
 
 </details>
 

responses/05_add-security-policy.md

@@ -8,17 +8,17 @@ This gives collaborators the important security information they need, but it al
 
 Just like a `README.md` file, it really depends on your repository and the requirements and workflows. Here are a few common topics that are documented in a security policy:
 
-1. Supported versions
-1. How to responsibly report a security vulnerability
-1. Security related configuration
-1. Known security gaps and future enhancements
+- Supported versions
+- How to responsibly report a security vulnerability
+- Security related configuration
+- Known security gaps and future enhancements
 
 
 ## Step 6: Add a SECURITY.md file
 
 1. Navigate to the [Security]({{ repoUrl }}/network/alerts) tab
 1. Click on Policy located in the left sidebar
-1. Click the `Start Setup` button
+1. Click the **Start Setup** button
 1. Commit the template security policy to the new branch as selected `{{ user.username }}-patch-1`
 1. Commit the new file and create the pull request
 

responses/06_remove-sensitive-commit.md

@@ -1,12 +1,12 @@
 ## Removing sensitive information
 
-A contributor opened a pull request to add a new image to the memory game. However, it appears that this contributor also committed a sensitive `.env` file that shouldn't be included. Contributors may commit sensitive information by accident or by purpose without knowing the consequences of these actions.
+A contributor opened a pull request to add a new image to the memory game. However, it appears that this contributor also committed a sensitive `.env` file that shouldn't be included. Contributors may commit sensitive information by accident or on purpose without knowing the consequences of these actions.
 
 Before we approve this pull request and merge it in, we need to remove this sensitive `.env` file from the pull request.
 
 ## Step 8: Remove sensitive data in a pull request
 
-We can do this by cloning down this repository to our local computer, and then running a few local Git commands before pushing up a fix on the contributor's branch on GitHub.
+We can do this by cloning this repository to our computer, and then running a few local Git commands before pushing up a fix on the contributor's branch on GitHub.
 
 1. Clone this repository locally by running `git clone {{ repoUrl }}.git`
 1. CD into your newly cloned repository with `cd security-strategy-essentials`

responses/06_suggest-merge.md

@@ -1,4 +1,4 @@
-Nice work opening this pull request. I went a head and approved it, go ahead and merge when ready.
+Nice work opening this pull request. I went ahead and approved it, go ahead and merge when ready.
 
 ### :keyboard: Activity: Merge
 1. Merge this pull request.

responses/08_add-gitignore.md

@@ -1,4 +1,4 @@
-Removing the previous `.env` file from a random pull request is great, but how can we make sure other contributions don't include sensitive files by mistake? We can do this by adding a `.gitignore` file to our repository.
+Removing the previous `.env` file from the branch is great, but it's reactive. We need to ensure future contributions don't include sensitive files by mistake. We can do this by adding a `.gitignore` file to our repository.
 
 ## Taking advantage of the `.gitignore` file
 
@@ -8,7 +8,7 @@ From time to time, there are files you don't want Git to check in to GitHub. You
 
 Git uses a file called `.gitignore` to decide which files and directories to ignore when committing.  Keep files containing sensitive data, like configuration or `.env` files, out of your repositories. This is one way to promote security best practices.
 
-The `.gitignore` file can, and should, be committed into your repository.  By sharing this file and making it part of your code, it will also help others. Other users that contribute to the repository will also avoid committing sensitive data. There are many examples of `.gitignore` files available for you to use in your own repositories. You can find them in the [gitignore](https://github.com/github/gitignore) repository.
+The `.gitignore` file can, and should, be committed into your repository.  By sharing this file and making it part of your code, future contributors to the repository will avoid committing sensitive data. There are many examples of `.gitignore` files available for you to use in your own repositories. You can find them in the [gitignore](https://github.com/github/gitignore) repository.
 
 ## Step 10: Add a `.gitignore` file