diff --git a/.github/secret_scanning.yml b/.github/secret_scanning.yml
new file mode 100644
index 0000000..3af471c
--- /dev/null
+++ b/.github/secret_scanning.yml
@@ -0,0 +1,3 @@
+
+paths-ignore:
+  - "foo/bar/*.js"
\ No newline at end of file
diff --git a/README.md b/README.md
index 400fad6..3832a38 100644
--- a/README.md
+++ b/README.md
@@ -1,5 +1,5 @@
 # swiss-cheese
-🧀🧀 A demo repository of simple OWASP Top 10 type of vulnerabilities in Python. Like swiss-cheese, this code is full of holes 🧀🧀
+🧀🧀 A demo repository of small OWASP Top 10 vulnerabilities. Like swiss-cheese, this code is full of holes. Goes great with Github Advanced Security 🧀🧀
 
 ![License](https://img.shields.io/github/license/austimkelly/swiss-cheese.svg) 
 ![Python 3](https://img.shields.io/badge/python-3-blue.svg)
@@ -17,9 +17,9 @@ The code samples here here several purposes:
     * How would you recommend fixing vulnerability X?
 4. Will AI assistants such as ChatGPT & Copilot generate insecure code and testing techniques which it may deem unethical?
 
-## GitHub Advanced Security Exercises
+## Github Advanced Security Exercises
 
-This repository is also used as a training exercise for GitHub Advanced Security (GHAS) features. See [GHAS Exercises](./doc/ghas-exercises.md) for more details.
+This repository is also used as a training exercise for Github Advanced Security (GHAS) features. See [GHAS Exercises](./doc/ghas-exercises.md) for more details.
 
 # Code Authors
 
diff --git a/doc/ghas-checklist.md b/doc/ghas-checklist.md
new file mode 100644
index 0000000..2047911
--- /dev/null
+++ b/doc/ghas-checklist.md
@@ -0,0 +1,60 @@
+# Secrets scanning checklist
+
+* [ ] Enable Secrets Scanning - See [Configure secrets scan](https://docs.github.com/en/enterprise-cloud@latest/code-security/secret-scanning/configuring-secret-scanning-for-your-repositories)
+* [ ] Enabled Secrets Push Protection - See [Push protection for repositories](https://docs.github.com/en/enterprise-cloud@latest/code-security/secret-scanning/push-protection-for-repositories-and-organizations)
+* [ ] Find & manage secret alerts - See [Manage secret alerts](https://docs.github.com/en/enterprise-cloud@latest/code-security/secret-scanning/managing-alerts-from-secret-scanning)
+* [ ] Try to push a secret with push protection enabled
+* [ ] Create a custom secret scanning pattern - [See Define Custom Patterns](https://docs.github.com/en/enterprise-cloud@latest/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning)
+* [ ] Create an exclude pattern for files and folders - See [Excluding directories from secrets scanning alerts for users](https://docs.github.com/en/enterprise-cloud@latest/code-security/secret-scanning/configuring-secret-scanning-for-your-repositories#excluding-directories-from-secret-scanning-alerts-for-users)
+
+# Dependabot alerts checklist
+
+* [ ] Enable Dependabot alerts - See [Configuring Dependabot Alerts](https://docs.github.com/en/enterprise-cloud@latest/code-security/dependabot/dependabot-alerts/configuring-dependabot-alerts)
+* [ ] Configure Dependabot custom rules
+* [ ] Enable Dependabot Security Updates - See [Configuring Dependabot Security Updates](https://docs.github.com/en/enterprise-cloud@latest/code-security/dependabot/dependabot-security-updates/configuring-dependabot-security-updates)
+* [ ] Enable Dependabot Grouped Security Updates (Beta)
+* [ ] Configure Dependabot version updates - See [Configuring Dependabot version updates](https://docs.github.com/en/enterprise-cloud@latest/code-security/dependabot/dependabot-version-updates/configuring-dependabot-version-updates)
+* [ ] Configure Dependabot Notifications - See [Configure notifications for Dependabot alerts](https://docs.github.com/en/enterprise-cloud@latest/code-security/dependabot/dependabot-alerts/configuring-notifications-for-dependabot-alerts)
+* [ ] Review the Dependency Graph and export an SBOM - See [Viewing the Dependency Graph](https://docs.github.com/en/enterprise-cloud@latest/code-security/supply-chain-security/understanding-your-software-supply-chain/exploring-the-dependencies-of-a-repository#viewing-the-dependency-graph) and [Export dependencies as SBOM](https://docs.github.com/en/enterprise-cloud@latest/code-security/supply-chain-security/understanding-your-software-supply-chain/exporting-a-software-bill-of-materials-for-your-repository)
+* [ ] Review Dependabot alerts and review search facets and filters
+* [ ] Review a single alert - See [View Dependabot Alert](https://docs.github.com/en/enterprise-cloud@latest/code-security/dependabot/dependabot-alerts/viewing-and-updating-dependabot-alerts)
+    - [ ] Find related CVE and CWEs
+    - [ ] See "All affected repositories"
+    - [ ] See related alerts
+    - [ ]  Navigate to the related pull request (if present)
+    - [ ] Note the dismissal options for a Dependabot alert - See [Dismissing Dependabot Alerts](https://docs.github.com/en/enterprise-cloud@latest/code-security/dependabot/dependabot-alerts/viewing-and-updating-dependabot-alerts#dismissing-dependabot-alerts)
+* [ ] Merge a pull request from Dependabot - See [Managing pull requests for dependency updates](https://docs.github.com/en/enterprise-cloud@latest/code-security/dependabot/working-with-dependabot/managing-pull-requests-for-dependency-updates)
+    - [ ]  Review the `@dependabot` chat ops options - See [Managing Dependabot pull requests with comment commands](https://docs.github.com/en/enterprise-cloud@latest/code-security/dependabot/working-with-dependabot/managing-pull-requests-for-dependency-updates#managing-dependabot-pull-requests-with-comment-commands)
+
+
+# Code scanning with CodeQL
+
+* [ ] Enable Code scanning - See [Configuring code scanning](https://docs.github.com/en/enterprise-cloud@latest/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning)
+* [ ] Review the CodeQL workflow
+* [ ] Review 3rd party code scanning workflows
+* [ ] Review Code scanning alerts
+    - [ ] Review search facets and filters
+* - Review a single alert
+    - [ ] Review severity
+    - [ ] Review related CVE/CWEs
+    - [ ] Review the source of the CodeQL query
+    - [ ] Review sources and sink (Show Paths) - Note, not all alerts will have Show Paths.
+    - [ ] Follow the sink to the code line(s) and see the Copilot X icon. Can you get advice on how to fix it?
+    - [ ] Note the dismissal options for a Code scanning alert - See [Dismissing code scanning alerts]()
+    - [ ] Review summary, descriptions, fixes and references
+    - [ ] Review commit history
+
+# Security advisories
+
+* [ ] Create a security advisory - See [About Security Advisory](https://docs.github.com/en/enterprise-cloud@latest/code-security/security-advisories/working-with-repository-security-advisories/about-repository-security-advisories)
+
+# Security policy
+
+* [ ] Review the security policy - See [Adding a security policy to your repository](https://docs.github.com/en/enterprise-cloud@latest/code-security/getting-started/adding-a-security-policy-to-your-repository)
+
+# General
+
+* - [ ] Review branch protection rules - See [Managing a branch protection rule](https://docs.github.com/en/enterprise-cloud@latest/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/managing-a-branch-protection-rule)
+* - [ ] Review repository permissions - [Managing your repositories teams and people](https://docs.github.com/en/enterprise-cloud@latest/repositories/managing-your-repositorys-settings-and-features/managing-repository-settings/managing-teams-and-people-with-access-to-your-repository)
+* - [ ] Review Security Overview (Requires Owner or Admin permission on the Org) - See [About the security overview](https://docs.github.com/en/enterprise-cloud@latest/code-security/security-overview/about-security-overview)
+* - [ ] Review API for pull GHAS repo info - See [Code Scanning API](https://docs.github.com/en/enterprise-cloud@latest/rest/reference/code-scanning). See also https://github.com/austimkelly/ghas-utils for org-level insights across multiple repos.
\ No newline at end of file
diff --git a/doc/ghas-exercises.md b/doc/ghas-exercises.md
index 9515adc..32e7466 100644
--- a/doc/ghas-exercises.md
+++ b/doc/ghas-exercises.md
@@ -3,7 +3,7 @@
 This repository massages most of the Github Advanced Security (GHAS) features into a single repository: 
 
 * Dependabot alerts
-* Secrets scanning, 
+* Secrets scanning
 * Code scanning with CodeQL
 * Security advisories
 * Security policy
@@ -29,31 +29,7 @@ If you fork this repository in a public account, you will have access to all the
 
 # Configure the settings
 
-**TODO** This section will need specific tasks and configurations to review. Additional references to Github docs as well.
-
-1. Create security policy
-
-    * TODO
-
-2. Enable Dependabot alerts
-
-    * TODO
-
-3. Enable Code scanning with CodeQL
-
-    * TODO 
-
-4. Enable secret scanning
-
-    * TODO
-
-5. Create a security advisory
-
-    * TODO 
-
-6. Review 
-
-    * TODO
+Please see [GHAS Exercises Checklist](./ghas-checklist.md) for more details on how to configure each of the GHAS features. There are numerous links to documentation to help you interact with each security feature.
 
 # Results
 
@@ -61,7 +37,6 @@ If you have the configured everything correctly you should have the same securit
 
 ![GHAS Completed Settings](./img/ghas-fully-configured.png)
 
-
 # References
 
 * [GHAS Developer Training](https://github.com/services/ghas-developer-training) - An outline of the core concepts suggested by GitHub.
\ No newline at end of file