add in some more walkthroughs for GHAS demos

.github/workflows/dependency-review.yml

@@ -0,0 +1,20 @@
+# Dependency Review Action
+#
+# This Action will scan dependency manifest files that change as part of a Pull Request, surfacing known-vulnerable versions of the packages declared or updated in the PR. Once installed, if the workflow run is marked as required, PRs introducing known-vulnerable packages will be blocked from merging.
+#
+# Source repository: https://github.com/actions/dependency-review-action
+# Public documentation: https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review#dependency-review-enforcement
+name: 'Dependency Review'
+on: [pull_request]
+
+permissions:
+  contents: read
+
+jobs:
+  dependency-review:
+    runs-on: ubuntu-latest
+    steps:
+      - name: 'Checkout Repository'
+        uses: actions/checkout@v3
+      - name: 'Dependency Review'
+        uses: actions/dependency-review-action@v3

.github/workflows/trivy-config.yml

@@ -0,0 +1,31 @@
+# This workflow runs the Trivy in IaC mode.
+# The action itself can be found here: https://github.com/aquasecurity/trivy-action
+# The documentation for running Trivy in config mode can be found here: https://aquasecurity.github.io/trivy/v0.19.2/usage/vuln-type/config/   
+# Note: If you have run Tfsec in the past, the Trivy Config scan is the result of the Aquasec acquisition of Tfsec: https://www.aquasec.com/news/aqua-security-acquires-tfsec/
+name: Trivy IaC Scan
+
+on: [pull_request]
+
+jobs:
+  build:
+    name: Build
+    runs-on: [ubuntu-latest]
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v3
+      - name: Run Trivy IaC Scan
+        uses: aquasecurity/trivy-action@master
+        with:
+          severity: "HIGH,CRITICAL"
+          scan-type: "config"
+          hide-progress: false
+          format: "sarif"
+          output: "trivy-results.sarif"
+          ignore-unfixed: true
+          vuln-type: config
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: "trivy-results.sarif"

README.md

@@ -7,6 +7,7 @@ There are plenty of demo web apps with vulnerabities, this is mean to to provide
 ![Python 3](https://img.shields.io/badge/python-3-blue.svg)
 [![CodeQL](https://github.com/austimkelly/swiss-cheese/actions/workflows/codeql.yml/badge.svg)](https://github.com/austimkelly/swiss-cheese/actions/workflows/codeql.yml)
 [![tfsec](https://github.com/austimkelly/swiss-cheese/actions/workflows/tfsec.yml/badge.svg)](https://github.com/austimkelly/swiss-cheese/actions/workflows/tfsec.yml)
+[![Trivy IaC Scan](https://github.com/austimkelly/swiss-cheese/actions/workflows/trivy-config.yml/badge.svg)](https://github.com/austimkelly/swiss-cheese/actions/workflows/trivy-config.yml)
 
 # Purpose
 

ghas-walkthrough.md

@@ -0,0 +1,71 @@
+# GHAS Walkthrough
+
+This repository leverages GitHub Advanced Security (GHAS) to demonstrate it's core functionality and features.
+Consider the sections below as a simple lab walkthrough of the various features of GHAS, how to find them, and how to enable them.
+
+## Table of Contents
+
+>> TODO  
+
+# Setting up GHAS on this repository
+
+In order to run through the features, simply fork this repository and enable the features you want to test. For quick testing you can fork this on your personal account and keep the visibility public. Most GHAS features are free for public repositories.
+
+>> All subsequent sections assume you have following these steps:
+
+
+1. Fork the repository. 
+2. In your fork, go to **Settings** > **Code Security & analysis** and enable _all_ the security features.
+
+**References**:
+
+* [Managing security and analysis settings for your repository](https://docs.github.com/en/enterprise-cloud@latest/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository)
+* [Quick start for securing your repository](https://docs.github.com/en/enterprise-cloud@latest/code-security/getting-started/quickstart-for-securing-your-repository)
+* [Managing security an analysis settings for your organization](https://docs.github.com/en/enterprise-cloud@latest/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization)
+
+# Secrets Scanning
+
+Review the secret scanning alerts for this repository under **Security** > **Secret Scanning**. There are not going to be many secrets identified because the precision of GitHub Secrets scanning is very high (false positives are minimized compared to other scanning solutions like TruffleHog or GitLeaks).
+
+Take a look at the Support Secret provider patterns table under [Supported Secrets](https://docs.github.com/en/code-security/secret-scanning/secret-scanning-patterns#supported-secrets). Here you can see which secret providers are supported by GitHub and which, which are reported to partners, and which are supported for Push Protection.
+
+There's another feature in beta called [Generic Secrets Detection](https://docs.github.com/en/code-security/secret-scanning/secret-scanning-patterns#supported-secrets). This leverages AI to scan and create alerts for unstructured secrets, such as passwords. The false positive rate is likely to be higher for this feature.
+
+Look for Active secrets first. When prioritizing found secrets, use the **Validity** filter set to **Active** to show secrets that are know to be valid.
+
+You can [exclude directories from secret scanning for users](https://docs.github.com/en/enterprise-cloud@latest/code-security/secret-scanning/configuring-secret-scanning-for-your-repositories) by creating a [`.github/secret-scanning.yml`](./.github/secret_scanning.yml) file in the repository. 
+
+## Secrets Push Protection
+
+Secrets Push protection will review developer commits and prevent any pushes on commits that contain secrets. When you consider the high default precision and partner checking for secrets, this is an incredibly powerful feature. Consider the time it takes to block a developer to make a decision on a secret push versus the time it takes to remediate a secret leak.
+
+For more information, see push [protection for repositories and organizations](https://docs.github.com/en/enterprise-cloud@latest/code-security/secret-scanning/push-protection-for-repositories-and-organizations). 
+
+I typically recommend enabling this feature for all repositories with an org-level settings.
+
+# Code Scanning with CodeQL
+
+# Triage Code Scanning Alerts
+
+# Dependabot
+
+## Enabling Dependabot
+
+## Enabling Dependabot Version Updates
+
+# Third Party Code Scanning
+
+## Trivy IaC Scanning
+
+## Dependency Review (by GitHub)
+
+# Re-usable Workflows
+
+# Security Overview (Reporting)
+
+## Enterprise Security Overview
+
+## Organization Security Overview
+
+## Repository Security Overview
+