microsoft
diff --git a/‎Media/0401_PushProtection.png
15.6 KB b/‎Media/0401_PushProtection.png
15.6 KB
diff --git a/‎Media/0401_SecretScanning.png
10.5 KB b/‎Media/0401_SecretScanning.png
10.5 KB
diff --git a/‎docs/04_make_things_secure/0401.md
Lines changed: 15 additions & 24 deletions b/‎docs/04_make_things_secure/0401.md
Lines changed: 15 additions & 24 deletions
diff --git a/‎docs/04_make_things_secure/0402.md
Lines changed: 20 additions & 64 deletions b/‎docs/04_make_things_secure/0402.md
Lines changed: 20 additions & 64 deletions
diff --git a/‎docs/04_make_things_secure/0403.md
Lines changed: 1 addition & 1 deletion b/‎docs/04_make_things_secure/0403.md
Lines changed: 1 addition & 1 deletion
diff --git a/‎index.md
Lines changed: 4 additions & 1 deletion b/‎index.md
Lines changed: 4 additions & 1 deletion
@@ -17,20 +17,19 @@ In addition to these manual processes, GitHub also provides automated tools for
 
 ## Description
 
-In this task, you will improve the security of your repository using some of GitHub's built-in tools.
+In this task, you will enable some of GitHub's built-in tools for securing code in repositories.
 
 1. Ask GitHub Copilot, "What do I need in a GitHub repository's security file?"
-2. Find the repository's Security policy. If there is an existing policy, make an edit and merge your change back into the main branch. Otherwise, create a policy using the template provided. GitHub Security policies are Markdown documents that indicate the preferred way to report security vulnerabilities for the repository.
+2. Find the repository's Security policy. If there is an existing policy, make an edit using GithUb Copilot and merge your change back into the main branch. Otherwise, create a policy using the template provided and GitHub Copilot. GitHub Security policies are Markdown documents that indicate the preferred way to report security vulnerabilities for the repository.
 3. Ask GitHub Copilot, "How do I enable Dependabot alerts on a GitHub repository?" Then, enable Dependabot alerts for the repository. Dependabot is an automated tool that creates a pull request when any dependencies in the code base has a known vulnerability.
 4. Ask GitHub Copilot, "How do I create a code scanning workflow in a GitHub repository?" After that, set up and run a Code scanning workflow for the repository using GitHub's 'CodeQL Analysis.' This workflow can run either on each pull request or on a schedule, and it checks your code for common vulnerabilities or errors.
-5. Ask GitHub Copilot, "How can I view the results of a CodeQL analysis in GitHub?" Then, navigate to the results.
-6. You should have one security issue from code scanning. Review the security issue and read up on how to correct the issue. Create a new GitHub Issue and feature branch. Then, resolve the issue, using GitHub Copilot to assist you.
+5. Ask GitHub Copilot, "How can I view the results of a CodeQL analysis in GitHub?" Then, navigate to the results. The next task will cover reviewing and correcting any issues you find.
+6. Ask GitHub Copilot, "How do I enable secret scanning on a GitHub repository?" Then, enable secret scanning and push protection on the repository.
 
 ## Success Criteria
 
-- In GitHub, you should be able to view the 'closed' pull request which either created or updated the Security policy (SECURITY.md file).
-- Additionally, you should be able to view a new 'open' pull request created by Dependabot requesting an update of a dependency.
-- Finally, you should be able to view the results of the CodeQL Analysis in the Security tab.
+- The **Security** page for your GitHub repository shows that Dependabot alerts, Code scanning alerts, and Secret scanning alerts are all enabled.
+- You have one Dependabot alert, one Code scanning alert, and one Secret scanning alert.
 
 ## Learning Resources
 
@@ -40,7 +39,7 @@ In this task, you will improve the security of your repository using some of Git
 
 ## Tips
 
-- If you are stuck, check out the 'Security' tab of your repository on GitHub.
+- If you are stuck, check out the **Security** tab of your repository on GitHub.
 
 ## Solution
 
@@ -70,7 +69,7 @@ In this task, you will improve the security of your repository using some of Git
 
     ![Select Default](../../Media/CodeQLAdvanced.png)
 
-8. By choosing the advanced option, you can see the YAML for the pipeline that actually performs the code check. We don't need to make any changes here, but it's something you should be familiar with. An easy change to make in this file would be if you want to adjust the schedule of when the scan runs.
+8. By choosing the advanced option, you can see the YAML for the pipeline that actually performs the code check. We don't need to make any changes here, but it's something you should be familiar with. An easy change to make in this file would be if you want to adjust the schedule of when the scan runs. Use GitHub Copilot to assist you with making any change.
 
     ![Commit the CodeQL YAML](../../Media/CodeQLYAMLCommit.png)
 
@@ -93,20 +92,12 @@ In this task, you will improve the security of your repository using some of Git
 
     ![View code scanning results](../../Media/CodeQLViewResults.png)
 
-12. Select the alert and then choose "Show more" to view details on the security issue. It turns out that an attacker could traverse to an arbitrary directory based on the way the MP&P staff wrote this function. In order to correct the function and prevent a directory traversal attack, replace `WriteToDirectory()` with the following code:
-
-    ```csharp
-    public static void WriteToDirectory(ZipArchiveEntry entry, string destDirectory)
-    {
-        string destFileName = Path.GetFullPath(Path.Combine(destDirectory, entry.FullName));
-        string fullDestDirPath = Path.GetFullPath(destDirectory + Path.DirectorySeparatorChar);
-        if (!destFileName.StartsWith(fullDestDirPath)) {
-            throw new System.InvalidOperationException("Entry is outside the target dir: " + destFileName);
-        }
-        entry.ExtractToFile(destFileName);
-    }
-    ```
-
-    Commit the code and create a pull request to the main branch. You should then see a CodeQL scan for the pull request, and after it succeeds, complete the pull request. Then, return to the code scanning results view and confirm that no issues remain on the list.
+12. Return to the **Settings** menu and select **Code security and analysis**. Navigate to the bottom of the page and select the **Enable** button for Secret scanning.
+
+    ![Enable secret scanning](../../Media/0401_SecretScanning.png)
+
+    Once you have enabled secret scanning, you will be able to enable a second option for Push protection.
+
+    ![Enable push protection](../../Media/0401_PushProtection.png)
 
 </details>
@@ -5,32 +5,24 @@ nav_order: 2
 parent: 'Exercise 04: Make things secure'
 ---
 
-# Task 02 - Fix issues GitHub Advanced Security found (20 minutes)
-
 ## Introduction
 
-The Munson's Pickles and Preserves Team Messaging System is up and running! They even have a proper Git Flow to protect against unintended changes to the main branch, and are recording application telemetry into App Insights. Before we are truly production-ready, though, there is one topic we have to cover: security.
-
-One good DevOps practice is to enable protections against code-level vulnerabilities, and GitHub provides a number of useful features in this area. First, there are Issues, which allow developers or users to open 'tickets' indicating bugs to be fixed or potential vulnerabilities. If your organization prefers security flaws to be reported in a location other than GitHub, you have the option to provide a custom Security policy which describes the process for reporting.
-
-In addition to these manual processes, GitHub also provides automated tools for scanning code for common errors. In this task, you will utilize the built-in Dependabot, which provides alerts if your repository contains libraries, packages, or external dependencies with known vulnerabilities. You will also set up a workflow with CodeQL, which can scan your source code for common coding errors or basic security flaws. This will help to ensure that the Team Messaging System contains code without any known vulnerabilities.
+Now that the Munson's Pickles and Preserves team has GitHub Advanced Security in place, they would like your assistance in resolving the issues the tool has found. They see a variety of issues, from vulnerable dependencies to secrets exposed in code, and even coding practices that may be dangerous.
 
 ## Description
 
 In this task, you will improve the security of your repository using some of GitHub's built-in tools.
 
-1. Ask GitHub Copilot, "What do I need in a GitHub repository's security file?"
-2. Find the repository's Security policy. If there is an existing policy, make an edit and merge your change back into the main branch. Otherwise, create a policy using the template provided. GitHub Security policies are Markdown documents that indicate the preferred way to report security vulnerabilities for the repository.
-3. Ask GitHub Copilot, "How do I enable Dependabot alerts on a GitHub repository?" Then, enable Dependabot alerts for the repository. Dependabot is an automated tool that creates a pull request when any dependencies in the code base has a known vulnerability.
-4. Ask GitHub Copilot, "How do I create a code scanning workflow in a GitHub repository?" After that, set up and run a Code scanning workflow for the repository using GitHub's 'CodeQL Analysis.' This workflow can run either on each pull request or on a schedule, and it checks your code for common vulnerabilities or errors.
-5. Ask GitHub Copilot, "How can I view the results of a CodeQL analysis in GitHub?" Then, navigate to the results.
-6. You should have one security issue from code scanning. Review the security issue and read up on how to correct the issue. Create a new GitHub Issue and feature branch. Then, resolve the issue, using GitHub Copilot to assist you.
+1. You should have one security issue from code scanning. Review the security issue and read up on how to correct the issue. Create a new GitHub Issue from the code scanning alert.
+2. You should have one security issue from secret scanning. Create a separate GitHub Issue from the security alert. In reviewing this alert, one of the developers informs you that this secret is part of a local configuration file and that file should not be checked into source control at all.
+3. You should have one Dependabot alert due to a vulnerable version of a library. Try to use Dependabot to fix this package version and create a new pull request with the change. If it does not work, create a GitHub Issue for this Dependabot alert.
+4. Create a new feature branch. Then, use GitHub Copilot to assist you in resolving all of the outstanding security issues.
+5. Create a pull request, closing out the issues that you've resolved. Use GitHub Copilot Enterprise to generate a meaningful pull request message and have another learner review your code changes. Merge your code into the main branch of your repository.
 
 ## Success Criteria
 
-- In GitHub, you should be able to view the 'closed' pull request which either created or updated the Security policy (SECURITY.md file).
-- Additionally, you should be able to view a new 'open' pull request created by Dependabot requesting an update of a dependency.
-- Finally, you should be able to view the results of the CodeQL Analysis in the Security tab.
+- In GitHub, you should be able to view the 'closed' pull request with your changes.
+- The **Security** tab shows no outstanding alerts for Dependabot, Code scanning, or Secret scanning.
 
 ## Learning Resources
 
@@ -40,60 +32,20 @@ In this task, you will improve the security of your repository using some of Git
 
 ## Tips
 
-- If you are stuck, check out the 'Security' tab of your repository on GitHub.
+- If you are stuck, review the details provided for each of the vulnerability alerts. This may include sample code to cause and fix a security issue, as well as links to additional resources.
 
 ## Solution
 
 <details markdown="block">
 <summary>Expand this section to view the solution</summary>
 
-1. Select **Settings** in your repo, then **Code security and analysis**. Select **Enable** on "Dependabot alerts" and "Dependabot security updates."
-
-    ![Enabled Dependabot alerts and security updates](../../Media/EnableDependabot.png)
-
-    **Note** This will also automatically enable "Dependency graph."
-2. Navigate to [https://github.com/electron/electron/blob/main/SECURITY.md](https://github.com/electron/electron/blob/main/SECURITY.md) for information about security policies. This is an example of a sample security policy that you could use for this exercise.
-3. In your GitHub repo, select **Security**, **Policy**, and **Start setup**
-
-   ![Start the security policy setup](../../Media/StartSecurityPolicySetup.png)
-
-4. Paste the security policy into the Markdown file (you can overwrite what is there now) and update it for the Munson's Pickles and Preserves Team Messaging System and the GitHub repo your code is in. Then, commit the changes to the main branch.
-
-   ![Commit the updated security policy](../../Media/CommitSecurityPolicy.png)
-
-5. Next, we need to enable CodeQL. Select **Settings** and then **Code security and analysis**.
-6. Scroll down if needed and select **Set up** in "Code scanning" for "CodeQL analysis."
-
-    ![Setup CodeQL analysis](../../Media/CodeQLAnalysisSetup.png)
-
-7. If you select "Default", the code scan will immediately be run. For this exercise, select **Advanced**.
-
-    ![Select Default](../../Media/CodeQLAdvanced.png)
-
-8. By choosing the advanced option, you can see the YAML for the pipeline that actually performs the code check. We don't need to make any changes here, but it's something you should be familiar with. An easy change to make in this file would be if you want to adjust the schedule of when the scan runs.
-
-    ![Commit the CodeQL YAML](../../Media/CodeQLYAMLCommit.png)
-
-    After you've reviewed the YAML, commit the change to main.
-
-    ![Commit the change](../../Media/CodeQLCommitChange.png)
-
-9. After you've committed the change, select **Actions** and you should see your CodeQL Scan workflow running.
-
-    ![CodeQL scan running](../../Media/CodeQLScanRunning.png)
-
-10. After about 5 minutes, you should see the workflow has completed.
-
-    ![Workflow complete](../../Media/CodeQLWorkflowComplete.png)
-
-11. After it's complete, go back to **Settings** and **Code security and analysis**. Then, select the ellipsis **...** next to the "Set up" menu. From the ellipsis dropdown, explore each of the first two options: "View last scan log" and "View Code Scanning alerts." You will find one High-risk vulnerability around arbitrary file access during archive extraction.
-
-    {: .note }
-    > This page will still show "Set up" because we chose the Advanced option instead of Basic.
-
-    ![View code scanning results](../../Media/CodeQLViewResults.png)
+1. Select **Security** in your repo, then **Code scanning**. Select the 'Arbitrary file access during archive extraction ("Zip Slip")' code issue. Select **Create issue** to create a GitHub issue around this code scanning alert.
+2. After creating an issue for the code scanning alert, navigate back to **Security** and then select **Secret scanning**. TODO: continue this!
+3. After creating an issue for the secret scanning alert, navigate back to the **Security** page and then select **Dependabot**. Select the 'Improper Handling of Exceptional Conditions in Newtonsoft.Json' alert. Then, select **Create Dependabot security update** to have Dependabot try to fix this issue. TODO: continue this!
+4. Create a new feature branch and give it a name like 'security-fixes'. Fetch changes from your machine and then check out and pull the new branch using the Git command line, Visual Studio Code, or your tool of choice.
+5. In GitHub, navigate back to the **Security** page and then select **Code scanning**. Select the code issue once again. Choose "Show more" to view details on the security issue. It turns out that an attacker could traverse to an arbitrary directory based on the way the MP&P staff wrote this function. In order to correct the function and prevent a directory traversal attack, update the `WriteToDirectory()` function. You can highlight the function, strike `Ctrl+i` or `Command+i`, and use a prompt like "Please update this function to prevent a directory traversal attack."
 
-12. Select the alert and then choose "Show more" to view details on the security issue. It turns out that an attacker could traverse to an arbitrary directory based on the way the MP&P staff wrote this function. In order to correct the function and prevent a directory traversal attack, replace `WriteToDirectory()` with the following code:
+    For comparison, the following code will not be vulnerable to a directory traversal attack:
 
     ```csharp
     public static void WriteToDirectory(ZipArchiveEntry entry, string destDirectory)
@@ -107,6 +59,10 @@ In this task, you will improve the security of your repository using some of Git
     }
     ```
 
-    Commit the code and create a pull request to the main branch. You should then see a CodeQL scan for the pull request, and after it succeeds, complete the pull request. Then, return to the code scanning results view and confirm that no issues remain on the list.
+6. TODO: notes on correcting the secret scan alert
+7. TODO: dependabot alert work needed?
+8. Commit the code changes you have made, using GitHub Copilot to assist with creating a commit message. Include in your commit messages any issues you have resolved. Then, create a pull request to the main branch. Use GitHub Copilot Enterprise to create a relevant pull request message.
+9. Assign another learner as a reviewer for the pull request. Ensure that the other learner completes the code review and approves your changes.
+10. You should see a CodeQL scan for the pull request. Assuming that it succeeds and the other learner has approved your changes, complete the pull request. Then, return to the **Security** page and confirm that no issues remain on any of the three lists.
 
 </details>
@@ -9,7 +9,7 @@ parent: 'Exercise 04: Make things secure'
 
 ## Introduction
 
-To wrap up the DevOps journey, Munson's Pickles and Preserves would like to understand what is happening in their deployed environments. By the time users complain about a problem, it is already too late. It is also imperative to know not only about the performance of the site, but also the impact--positive or negative--a feature has had on the users. Please take a moment to review the articles in the **Learning Resources** section to gain a better understanding of the importance of monitoring, as well as Application Insights, one of the tools available in Azure to make monitoring easy.
+To reach the next step of their DevOps journey, Munson's Pickles and Preserves would like to understand what is happening in their deployed environments. By the time users complain about a problem, it is already too late. It is also imperative to know not only about the performance of the site, but also the impact--positive or negative--a feature has had on the users. Please take a moment to review the articles in the **Learning Resources** section to gain a better understanding of the importance of monitoring, as well as Application Insights, one of the tools available in Azure to make monitoring easy.
 
 ## Description
 
 
@@ -27,4 +27,7 @@ For running this lab you will need:
 * An AAD tenant where you are a global admin. and an Azure subscription in that same tenant.
 * M365 E5 licenses (or a trial for these licenses configured) in that same tenant.
 
-**[MCAPS non-prod subscriptions](https://dev.azure.com/OneCommercial/NoCode/_wiki/wikis/NoCode.wiki/12/Hybrid-Subscription) are the most convenient way for you to meet all these prerequisites**, and the lab activities assume that you have configured an external subscription via [https://aka.ms/MCAPSNewAzureSub](https://aka.ms/MCAPSNewAzureSub).
+**[MCAPS non-prod subscriptions](https://dev.azure.com/OneCommercial/NoCode/_wiki/wikis/NoCode.wiki/12/Hybrid-Subscription) are the most convenient way for you to meet all these prerequisites**, and the lab activities assume that you have configured an external subscription via [https://aka.ms/MCAPSNewAzureSub](https://aka.ms/MCAPSNewAzureSub). Note that this must be an **external** MCAPS subscription and not a hybrid subscription.
+
+{: .note }
+> If you requested an external MCAPS subscription prior to April of 2024, you might have an obsolete MCAPS subscription. In that case, you will need to delete the subscription, delete the tenant, and re-request the external MCAPS subscription in the new system **before** beginning these labs. The link above will allow you to request a subscription in the new system. Obsolete external MCAPS subscriptions will be eliminated in September of 2024.