Update exercise 4

Author: feaselkl

.gitignore

@@ -1,6 +1,2 @@
 
 .DS_Store
-
-.vscode/settings.json
-Media/Lab Guide/~$DAY_ONE_TechExcel_Implementing_DevOps.pptx
-Media/Lab Guide/~$DAY_TWO_TechExcel_Implementing_DevOps.pptx

Media/0402_Revoked.png

@@ -14,7 +14,7 @@ Now that the Munson's Pickles and Preserves team has GitHub Advanced Security in
 In this task, you will improve the security of your repository using some of GitHub's built-in tools.
 
 1. You should have one security issue from code scanning. Review the security issue and read up on how to correct the issue. Create a new GitHub Issue from the code scanning alert.
-2. You should have one security issue from secret scanning. Create a separate GitHub Issue from the security alert. In reviewing this alert, one of the developers informs you that this secret is part of a local configuration file and that file should not be checked into source control at all.
+2. You should have one security issue from secret scanning. Create a separate GitHub Issue from the security alert. In reviewing this alert, one of the developers informs you that this secret is part of a local configuration file and that file should not be checked into source control at all. It appears that a junior developer has accidentally checked in the file, and they need your help recovering from this. The developer will revoke this particular secret but wants you to make sure nobody can check in the configuration file ever again.
 3. You should have one Dependabot alert due to a vulnerable version of a library. Try to use Dependabot to fix this package version and create a new pull request with the change. If it does not work, create a GitHub Issue for this Dependabot alert.
 4. Create a new feature branch. Then, use GitHub Copilot to assist you in resolving all of the outstanding security issues.
 5. Create a pull request, closing out the issues that you've resolved. Use GitHub Copilot Enterprise to generate a meaningful pull request message and have another learner review your code changes. Merge your code into the main branch of your repository.
@@ -40,9 +40,9 @@ In this task, you will improve the security of your repository using some of Git
 <summary>Expand this section to view the solution</summary>
 
 1. Select **Security** in your repo, then **Code scanning**. Select the 'Arbitrary file access during archive extraction ("Zip Slip")' code issue. Select **Create issue** to create a GitHub issue around this code scanning alert.
-2. After creating an issue for the code scanning alert, navigate back to **Security** and then select **Secret scanning**. TODO: continue this!
-3. After creating an issue for the secret scanning alert, navigate back to the **Security** page and then select **Dependabot**. Select the 'Improper Handling of Exceptional Conditions in Newtonsoft.Json' alert. Then, select **Create Dependabot security update** to have Dependabot try to fix this issue. In the event that it does not automatically generate a pull request for you, create a new GitHub Issue for this alert. You will not be able to create an issue directly from the alert page like you can secret scanning or code scanning issues.
-4. Create a new feature branch and give it a name like 'security-fixes'. Fetch changes from your machine and then check out and pull the new branch using the Git command line, Visual Studio Code, or your tool of choice.
+2. After creating an issue for the code scanning alert, navigate back to **Security** and then select **Secret scanning**. Select the 'Azure Registry Key Identifiable' secret issue. Create a GitHub issue around this issue. You will not be able to create an issue directly from the alert page like you can for code scanning issues.
+3. After creating an issue for the secret scanning alert, navigate back to the **Security** page and then select **Dependabot**. Select the 'Improper Handling of Exceptional Conditions in Newtonsoft.Json' alert. Then, select **Create Dependabot security update** to have Dependabot try to fix this issue. In the event that it does not automatically generate a pull request for you, create a new GitHub Issue for this alert. You will not be able to create an issue directly from the alert page like you can for code scanning issues.
+4. Create a new feature branch and give it a name like `security-fixes`. Fetch changes from your machine and then check out and pull the new branch using the Git command line, Visual Studio Code, or your tool of choice.
 5. In GitHub, navigate back to the **Security** page and then select **Code scanning**. Select the code issue once again. Choose "Show more" to view details on the security issue. It turns out that an attacker could traverse to an arbitrary directory based on the way the MP&P staff wrote this function. In order to correct the function and prevent a directory traversal attack, update the `WriteToDirectory()` function. You can highlight the function, strike `Ctrl+i` or `Command+i`, and use a prompt like "Please update this function to prevent a directory traversal attack."
 
     For comparison, the following code will not be vulnerable to a directory traversal attack:
@@ -59,10 +59,25 @@ In this task, you will improve the security of your repository using some of Git
     }
     ```
 
-6. TODO: notes on correcting the secret scan alert
-7. TODO: dependabot alert work needed?
-8. Commit the code changes you have made, using GitHub Copilot to assist with creating a commit message. Include in your commit messages any issues you have resolved. Then, create a pull request to the main branch. Use GitHub Copilot Enterprise to create a relevant pull request message.
+6. To resolve the secret scanning alert, we want to add `config.json` to the `.gitignore` file. We'll use the specific file location just in case there are other configuration files we don't want to exclude.
+
+    ```yaml
+    # Local configuration file for developers
+    src/Application/src/RazorPagesTestSample/config.json
+    ```
+
+    Then, delete the `config.json` file from your repository and commit both changes.
+
+    {: .note }
+    > This action will not eliminate any commits in history that contain the secret. For that reason, it is critical to revoke or cycle the secret as well as removing this file from source control. GitHub has documentation explaining [how to remove a secret introduced by an earlier commit in a branch](https://docs.github.com/en/code-security/secret-scanning/pushing-a-branch-blocked-by-push-protection#removing-a-secret-introduced-by-an-earlier-commit-on-your-branch).
+
+7. The Dependabot alert indicates that the old version of Newtonsoft.Json is in the test project, `src/Application/tests/RazorPagesTestSample.Tests/RazorPagesTestSample.Tests.csproj`. Open this file and change the version from 11.0.2 to a more recent version: **13.0.3**.
+8. Commit any outstanding code changes you have made, using GitHub Copilot to assist with creating a commit message. Include in your commit messages any issues you have resolved. Then, create a pull request to the main branch. Use GitHub Copilot Enterprise to create a relevant pull request message.
 9. Assign another learner as a reviewer for the pull request. Ensure that the other learner completes the code review and approves your changes.
-10. You should see a CodeQL scan for the pull request. Assuming that it succeeds and the other learner has approved your changes, complete the pull request. Then, return to the **Security** page and confirm that no issues remain on any of the three lists.
+10. You should see a CodeQL scan for the pull request. Assuming that it succeeds and the other learner has approved your changes, complete the pull request. Then, return to the **Security** page select the 'Azure Registry Key Identifiable' secret scan alert. Select **Close as** and choose **Revoked** from the menu and then select **Close alert**.
+
+    ![Revoke the Azure registry key](../../Media/0402_Revoked.png)
+
+11. Return to the **Security** page and confirm that no issues remain on any of the three lists.
 
 </details>