-
Notifications
You must be signed in to change notification settings - Fork 26
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add in an exercises doc that show how to fork the repo for GHAS learning
- Loading branch information
1 parent
d5d53cc
commit 8b1c5ad
Showing
4 changed files
with
84 additions
and
11 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,67 @@ | ||
# Summary | ||
|
||
This repository massages most of the Github Advanced Security (GHAS) features into a single repository: | ||
|
||
* Dependabot alerts | ||
* Secrets scanning, | ||
* Code scanning with CodeQL | ||
* Security advisories | ||
* Security policy | ||
|
||
When you fork a repository, all GHAS features are disabled by default. Hence, this repo serves as a good way to toggle most of the features of GHAS yourself and walk through some of the existing configurations. | ||
|
||
# Goals | ||
|
||
You should get core security configuration of the main features of Github Advanced Security. You be able to configure all scanning features and understand basic configuration options, code scanning actions, and YAML config options. | ||
|
||
You should be able to see security alerts and be able to triage and respond to them. | ||
|
||
# Requirements | ||
|
||
If you fork this repository in a public account, you will have access to all the features in this exercise. GHAS is free on public accounts. See also [GHAS pricing](https://docs.github.com/en/enterprise-cloud@latest/billing/managing-billing-for-github-advanced-security/about-billing-for-github-advanced-security) | ||
|
||
# Set-up | ||
|
||
1. Fork this repository to your own account. | ||
2. Navigate to `https[X]://github.com/{your account id}/swiss-cheese/settings/security_analysis`. You will see the unset security settings: | ||
|
||
![GHAS Settings](./img/empty_security_settings.png) | ||
|
||
# Configure the settings | ||
|
||
**TODO** This section will need specific tasks and configurations to review. Additional references to Github docs as well. | ||
|
||
1. Create security policy | ||
|
||
* TODO | ||
|
||
2. Enable Dependabot alerts | ||
|
||
* TODO | ||
|
||
3. Enable Code scanning with CodeQL | ||
|
||
* TODO | ||
|
||
4. Enable secret scanning | ||
|
||
* TODO | ||
|
||
5. Create a security advisory | ||
|
||
* TODO | ||
|
||
6. Review | ||
|
||
* TODO | ||
|
||
# Results | ||
|
||
If you have the configured everything correctly you should have the same security alerts as the public repository your forked from. The exception is the Security Advisories, where are not copied to a forked repository. | ||
|
||
![GHAS Completed Settings](./img/ghas-fully-configured.png) | ||
|
||
|
||
# References | ||
|
||
* [GHAS Developer Training](https://github.com/services/ghas-developer-training) - An outline of the core concepts suggested by GitHub. |
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.