-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
b6ff7d0
commit 55017e9
Showing
22 changed files
with
417 additions
and
219 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1 +1,3 @@ | ||
app/js/node_modules/ | ||
node_modules | ||
.DS_Store | ||
.mypy_cache |
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,27 @@ | ||
# GitHub Advanced Security for Developers | ||
|
||
## Overview | ||
|
||
This repository contains the courseware for the GitHub Advanced Security for Developers course. The course is designed to help develoeprs understand how to secure their code using GitHub Advanced Security. | ||
|
||
## Course Documents | ||
|
||
- [Course Outline](./docs/GitHubAdvancedSecurityDeveloperTrainingOutline.pdf) | ||
- [Course Slides](./docs/GitHubAdvancedSecurityDeveloperTrainingSlides.pdf) | ||
- [Copilot Chat Security](./docs/copilot-chat-security.md) | ||
- [Scripting GitHub Advanced Security](./scripts/scripts.md) | ||
- [Glossary](./docs/glossary.md) | ||
|
||
## Demo Repos | ||
|
||
- [express](https://github.com/Atmosera-adv-sec-prep/passport) | ||
- [swiss cheese](https://github.com/Atmosera-adv-sec-prep/swiss-cheese) | ||
|
||
## Resources | ||
|
||
- [GHAS](https://learn.microsoft.com/en-us/users/githubtraining/collections/rqymc6yw8q5rey) | ||
- [Actions](https://learn.microsoft.com/en-us/collections/n5p4a5z7keznp5) | ||
- [Administration](https://learn.microsoft.com/en-us/collections/mom7u1gzjdxw03) | ||
- [GitHub Advanced Security solutions](https://github.com/advanced-security/) | ||
- [Code Security and Scanning](https://docs.github.com/en/code-security/code-scanning/) | ||
- [Secret Scanning](https://docs.github.com/en/code-security/secret-scanning/) |
This file was deleted.
Oops, something went wrong.
This file was deleted.
Oops, something went wrong.
This file was deleted.
Oops, something went wrong.
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,40 @@ | ||
# Non-Provider Secret Scanning | ||
|
||
1. Ensure you have a GitHub Advanced Security license. Check with you administrator if you are unsure. | ||
|
||
1. Clone the public repo, `https://github.com/ewg-atmosera/toolsapp-svelte-website`, to your local computer. | ||
|
||
```sh | ||
git clone https://github.com/ewg-atmosera/toolsapp-svelte-website | ||
``` | ||
|
||
1. Create a new repo in your GitHub account named `toolsapp-svelte-website`, and push the clone repo to it. | ||
|
||
```sh | ||
git remote add explore-secret-scanning <YOUR GIT REPO URL> | ||
``` | ||
|
||
```sh | ||
git push explore-secret-scanning main | ||
``` | ||
|
||
1. In your new repo, click the top tab `Settings`, then side tab `Code Security`, then scroll down to `Secret scanning`. | ||
|
||
1. Review the default settings. Push protection for supported secrets should be enabled with everything else being disabled. The secret the repo contains is not a supported secret, so it will not be detected. Supported secrets are API keys, OAuth tokens, and personal access tokens from well-known providers. | ||
|
||
1. Enable `Scan for generic secrets` and `Non-provider patterns`. GitHub will then scan the repo for broader range of secrets. It should find the secret in the repo. | ||
1. Click the top tab `Security`, then side tab `Secret scanning`. You should see the secret that was found in the repo. Most likely it will be listed under `Secret scanning` > `Experimental`. | ||
1. Review the secret alert, and then decide how to handle it. Select `Revoked` and type a comment. | ||
```text | ||
Removed from the Tools App REST API configuration. | ||
``` | ||
1. Revoking the secret will remove it from the secret scanning alert list, but the secret will still be in the repo. You will need to remove it manually. | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,43 @@ | ||
# Custom Pattern Secret Scanning | ||
|
||
1. Ensure you have a GitHub Advanced Security license. Check with you administrator if you are unsure. | ||
|
||
1. Clone the public repo, `https://github.com/ewg-atmosera/toolsapp-svelte-website`, to your local computer. | ||
|
||
```sh | ||
git clone https://github.com/ewg-atmosera/toolsapp-svelte-website | ||
``` | ||
|
||
1. Create a new repo in your GitHub account named `toolsapp-svelte-website`, and push the clone repo to it. | ||
|
||
```sh | ||
git remote add explore-secret-scanning <YOUR GIT REPO URL> | ||
``` | ||
|
||
```sh | ||
git push explore-secret-scanning main | ||
``` | ||
|
||
1. In your new repo, click the top tab `Settings`, then side tab `Code Security`, then scroll down to `Secret scanning` -> `Custom patterns`. | ||
|
||
1. Click the button `New pattern`. | ||
|
||
1. Name the pattern "Organization". | ||
|
||
1. Enter the following value into the `Secret format` field. | ||
|
||
```text | ||
'Organization': '[0-9A-Z]{6}' | ||
``` | ||
|
||
1. Enter the following value into the `Test string` field. | ||
|
||
```text | ||
'Organization': '1D5GHT' | ||
``` | ||
|
||
1. Click the `Save and dry run` button. GitHub will save the custom pattern and queue up the pattern to search the repo. The dry run will show the results of the pattern search. Once it is done, publish the pattern. | ||
|
||
1. The pattern should cause a secret alert to be generated. Click the top tab `Security`, then side tab `Secret scanning`. You should see the secret that was found in the repo. Most likely it will be listed under `Secret scanning`. | ||
|
||
1. Custom patterns can be used to search for secrets that are not supported by the default secret scanning. This can be useful for finding secrets that are unique to your organization. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,65 @@ | ||
# Remove Secret from Repo | ||
|
||
## Secret in Last Commit | ||
|
||
Removing a secret from the last commit is easy. Simply, amend the last commit and push the changes. | ||
|
||
```bash | ||
git add <FILE_CHANGED> | ||
``` | ||
|
||
```bash | ||
git commit --amend | ||
``` | ||
|
||
```bash | ||
git push -f | ||
``` | ||
|
||
## Secret in Previous Commits | ||
|
||
This is more complicated, and requires rewriting the Git history to remove the secret. This particular example requires Python to be installed. | ||
|
||
1. Install the `git-filter-repo` package. | ||
|
||
```sh | ||
pip install git-filter-repo | ||
``` | ||
|
||
1. Run the following command to remove the secret from the entire Git history. Replace `your-secret` with the actual secret you want to remove. This command will rewrite the Git command history, so be careful when using it, and notify your team members before doing so. | ||
|
||
```sh | ||
git filter-repo --path-glob '*' --replace-text <(echo "your-secret==>REMOVED_SECRET") | ||
``` | ||
|
||
**Note:** This command expects to be performed on a freshly cloned repo. If your repo is not freshly cloned (such as having multiple remotes), you may need to use the `--force` flag. | ||
|
||
```sh | ||
git filter-repo --force --path-glob '*' --replace-text <(echo "your-secret==>REMOVED_SECRET") | ||
``` | ||
|
||
1. Next, the repo needs to be cleaned up. The following commands will remove the original refs and expire the reflog, and then run the garbage collector to prune the repo. If this is not done, the original commits can still be accessed. | ||
|
||
```sh | ||
rm -rf .git/refs/original/ | ||
``` | ||
|
||
```sh | ||
git reflog expire --expire=now --all | ||
``` | ||
|
||
```sh | ||
git gc --prune=now --aggressive | ||
``` | ||
|
||
1. Push the changes to the remote repository. This will overwrite the remote history with the new history, please notify your team members before doing so. | ||
|
||
```sh | ||
git push origin --force --all | ||
``` | ||
|
||
```sh | ||
git push origin --force --tags | ||
``` | ||
|
||
1. Update any secret scanning alerts as appropriate. |
Oops, something went wrong.