Skip to content

Commit

Permalink
Merge pull request #20 from austimkelly/exercieses-documentation
Browse files Browse the repository at this point in the history
Exercises documentation
  • Loading branch information
austimkelly authored Jan 11, 2024
2 parents 54f3b7c + 858b002 commit f8d5508
Show file tree
Hide file tree
Showing 4 changed files with 68 additions and 30 deletions.
3 changes: 3 additions & 0 deletions .github/secret_scanning.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@

paths-ignore:
- "foo/bar/*.js"
6 changes: 3 additions & 3 deletions README.md
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
# swiss-cheese
🧀🧀 A demo repository of simple OWASP Top 10 type of vulnerabilities in Python. Like swiss-cheese, this code is full of holes 🧀🧀
🧀🧀 A demo repository of small OWASP Top 10 vulnerabilities. Like swiss-cheese, this code is full of holes. Goes great with Github Advanced Security 🧀🧀

![License](https://img.shields.io/github/license/austimkelly/swiss-cheese.svg)
![Python 3](https://img.shields.io/badge/python-3-blue.svg)
Expand All @@ -17,9 +17,9 @@ The code samples here here several purposes:
* How would you recommend fixing vulnerability X?
4. Will AI assistants such as ChatGPT & Copilot generate insecure code and testing techniques which it may deem unethical?

## GitHub Advanced Security Exercises
## Github Advanced Security Exercises

This repository is also used as a training exercise for GitHub Advanced Security (GHAS) features. See [GHAS Exercises](./doc/ghas-exercises.md) for more details.
This repository is also used as a training exercise for Github Advanced Security (GHAS) features. See [GHAS Exercises](./doc/ghas-exercises.md) for more details.

# Code Authors

Expand Down
60 changes: 60 additions & 0 deletions doc/ghas-checklist.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,60 @@
# Secrets scanning checklist

* [ ] Enable Secrets Scanning - See [Configure secrets scan](https://docs.github.com/en/enterprise-cloud@latest/code-security/secret-scanning/configuring-secret-scanning-for-your-repositories)
* [ ] Enabled Secrets Push Protection - See [Push protection for repositories](https://docs.github.com/en/enterprise-cloud@latest/code-security/secret-scanning/push-protection-for-repositories-and-organizations)
* [ ] Find & manage secret alerts - See [Manage secret alerts](https://docs.github.com/en/enterprise-cloud@latest/code-security/secret-scanning/managing-alerts-from-secret-scanning)
* [ ] Try to push a secret with push protection enabled
* [ ] Create a custom secret scanning pattern - [See Define Custom Patterns](https://docs.github.com/en/enterprise-cloud@latest/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning)
* [ ] Create an exclude pattern for files and folders - See [Excluding directories from secrets scanning alerts for users](https://docs.github.com/en/enterprise-cloud@latest/code-security/secret-scanning/configuring-secret-scanning-for-your-repositories#excluding-directories-from-secret-scanning-alerts-for-users)

# Dependabot alerts checklist

* [ ] Enable Dependabot alerts - See [Configuring Dependabot Alerts](https://docs.github.com/en/enterprise-cloud@latest/code-security/dependabot/dependabot-alerts/configuring-dependabot-alerts)
* [ ] Configure Dependabot custom rules
* [ ] Enable Dependabot Security Updates - See [Configuring Dependabot Security Updates](https://docs.github.com/en/enterprise-cloud@latest/code-security/dependabot/dependabot-security-updates/configuring-dependabot-security-updates)
* [ ] Enable Dependabot Grouped Security Updates (Beta)
* [ ] Configure Dependabot version updates - See [Configuring Dependabot version updates](https://docs.github.com/en/enterprise-cloud@latest/code-security/dependabot/dependabot-version-updates/configuring-dependabot-version-updates)
* [ ] Configure Dependabot Notifications - See [Configure notifications for Dependabot alerts](https://docs.github.com/en/enterprise-cloud@latest/code-security/dependabot/dependabot-alerts/configuring-notifications-for-dependabot-alerts)
* [ ] Review the Dependency Graph and export an SBOM - See [Viewing the Dependency Graph](https://docs.github.com/en/enterprise-cloud@latest/code-security/supply-chain-security/understanding-your-software-supply-chain/exploring-the-dependencies-of-a-repository#viewing-the-dependency-graph) and [Export dependencies as SBOM](https://docs.github.com/en/enterprise-cloud@latest/code-security/supply-chain-security/understanding-your-software-supply-chain/exporting-a-software-bill-of-materials-for-your-repository)
* [ ] Review Dependabot alerts and review search facets and filters
* [ ] Review a single alert - See [View Dependabot Alert](https://docs.github.com/en/enterprise-cloud@latest/code-security/dependabot/dependabot-alerts/viewing-and-updating-dependabot-alerts)
- [ ] Find related CVE and CWEs
- [ ] See "All affected repositories"
- [ ] See related alerts
- [ ] Navigate to the related pull request (if present)
- [ ] Note the dismissal options for a Dependabot alert - See [Dismissing Dependabot Alerts](https://docs.github.com/en/enterprise-cloud@latest/code-security/dependabot/dependabot-alerts/viewing-and-updating-dependabot-alerts#dismissing-dependabot-alerts)
* [ ] Merge a pull request from Dependabot - See [Managing pull requests for dependency updates](https://docs.github.com/en/enterprise-cloud@latest/code-security/dependabot/working-with-dependabot/managing-pull-requests-for-dependency-updates)
- [ ] Review the `@dependabot` chat ops options - See [Managing Dependabot pull requests with comment commands](https://docs.github.com/en/enterprise-cloud@latest/code-security/dependabot/working-with-dependabot/managing-pull-requests-for-dependency-updates#managing-dependabot-pull-requests-with-comment-commands)


# Code scanning with CodeQL

* [ ] Enable Code scanning - See [Configuring code scanning](https://docs.github.com/en/enterprise-cloud@latest/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning)
* [ ] Review the CodeQL workflow
* [ ] Review 3rd party code scanning workflows
* [ ] Review Code scanning alerts
- [ ] Review search facets and filters
* - Review a single alert
- [ ] Review severity
- [ ] Review related CVE/CWEs
- [ ] Review the source of the CodeQL query
- [ ] Review sources and sink (Show Paths) - Note, not all alerts will have Show Paths.
- [ ] Follow the sink to the code line(s) and see the Copilot X icon. Can you get advice on how to fix it?
- [ ] Note the dismissal options for a Code scanning alert - See [Dismissing code scanning alerts]()
- [ ] Review summary, descriptions, fixes and references
- [ ] Review commit history

# Security advisories

* [ ] Create a security advisory - See [About Security Advisory](https://docs.github.com/en/enterprise-cloud@latest/code-security/security-advisories/working-with-repository-security-advisories/about-repository-security-advisories)

# Security policy

* [ ] Review the security policy - See [Adding a security policy to your repository](https://docs.github.com/en/enterprise-cloud@latest/code-security/getting-started/adding-a-security-policy-to-your-repository)

# General

* - [ ] Review branch protection rules - See [Managing a branch protection rule](https://docs.github.com/en/enterprise-cloud@latest/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/managing-a-branch-protection-rule)
* - [ ] Review repository permissions - [Managing your repositories teams and people](https://docs.github.com/en/enterprise-cloud@latest/repositories/managing-your-repositorys-settings-and-features/managing-repository-settings/managing-teams-and-people-with-access-to-your-repository)
* - [ ] Review Security Overview (Requires Owner or Admin permission on the Org) - See [About the security overview](https://docs.github.com/en/enterprise-cloud@latest/code-security/security-overview/about-security-overview)
* - [ ] Review API for pull GHAS repo info - See [Code Scanning API](https://docs.github.com/en/enterprise-cloud@latest/rest/reference/code-scanning). See also https://github.com/austimkelly/ghas-utils for org-level insights across multiple repos.
29 changes: 2 additions & 27 deletions doc/ghas-exercises.md
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@
This repository massages most of the Github Advanced Security (GHAS) features into a single repository:

* Dependabot alerts
* Secrets scanning,
* Secrets scanning
* Code scanning with CodeQL
* Security advisories
* Security policy
Expand All @@ -29,39 +29,14 @@ If you fork this repository in a public account, you will have access to all the

# Configure the settings

**TODO** This section will need specific tasks and configurations to review. Additional references to Github docs as well.

1. Create security policy

* TODO

2. Enable Dependabot alerts

* TODO

3. Enable Code scanning with CodeQL

* TODO

4. Enable secret scanning

* TODO

5. Create a security advisory

* TODO

6. Review

* TODO
Please see [GHAS Exercises Checklist](./ghas-checklist.md) for more details on how to configure each of the GHAS features. There are numerous links to documentation to help you interact with each security feature.

# Results

If you have the configured everything correctly you should have the same security alerts as the public repository your forked from. The exception is the Security Advisories, where are not copied to a forked repository.

![GHAS Completed Settings](./img/ghas-fully-configured.png)


# References

* [GHAS Developer Training](https://github.com/services/ghas-developer-training) - An outline of the core concepts suggested by GitHub.

0 comments on commit f8d5508

Please sign in to comment.