Skip to content

Commit

Permalink
clean up courseware
Browse files Browse the repository at this point in the history
  • Loading branch information
ericwgreene committed Dec 14, 2024
1 parent b6ff7d0 commit 55017e9
Show file tree
Hide file tree
Showing 22 changed files with 417 additions and 219 deletions.
4 changes: 3 additions & 1 deletion .gitignore
Original file line number Diff line number Diff line change
@@ -1 +1,3 @@
app/js/node_modules/
node_modules
.DS_Store
.mypy_cache
94 changes: 0 additions & 94 deletions OUTLINE.md

This file was deleted.

27 changes: 27 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
# GitHub Advanced Security for Developers

## Overview

This repository contains the courseware for the GitHub Advanced Security for Developers course. The course is designed to help develoeprs understand how to secure their code using GitHub Advanced Security.

## Course Documents

- [Course Outline](./docs/GitHubAdvancedSecurityDeveloperTrainingOutline.pdf)
- [Course Slides](./docs/GitHubAdvancedSecurityDeveloperTrainingSlides.pdf)
- [Copilot Chat Security](./docs/copilot-chat-security.md)
- [Scripting GitHub Advanced Security](./scripts/scripts.md)
- [Glossary](./docs/glossary.md)

## Demo Repos

- [express](https://github.com/Atmosera-adv-sec-prep/passport)
- [swiss cheese](https://github.com/Atmosera-adv-sec-prep/swiss-cheese)

## Resources

- [GHAS](https://learn.microsoft.com/en-us/users/githubtraining/collections/rqymc6yw8q5rey)
- [Actions](https://learn.microsoft.com/en-us/collections/n5p4a5z7keznp5)
- [Administration](https://learn.microsoft.com/en-us/collections/mom7u1gzjdxw03)
- [GitHub Advanced Security solutions](https://github.com/advanced-security/)
- [Code Security and Scanning](https://docs.github.com/en/code-security/code-scanning/)
- [Secret Scanning](https://docs.github.com/en/code-security/secret-scanning/)
1 change: 0 additions & 1 deletion app/py/__init__.py

This file was deleted.

6 changes: 0 additions & 6 deletions app/py/exec.py

This file was deleted.

32 changes: 0 additions & 32 deletions app/py/login.py

This file was deleted.

51 changes: 0 additions & 51 deletions app/py/requirements.txt

This file was deleted.

40 changes: 40 additions & 0 deletions demos/01_non-provider-secret-scanning.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,40 @@
# Non-Provider Secret Scanning

1. Ensure you have a GitHub Advanced Security license. Check with you administrator if you are unsure.

1. Clone the public repo, `https://github.com/ewg-atmosera/toolsapp-svelte-website`, to your local computer.

```sh
git clone https://github.com/ewg-atmosera/toolsapp-svelte-website
```

1. Create a new repo in your GitHub account named `toolsapp-svelte-website`, and push the clone repo to it.

```sh
git remote add explore-secret-scanning <YOUR GIT REPO URL>
```

```sh
git push explore-secret-scanning main
```

1. In your new repo, click the top tab `Settings`, then side tab `Code Security`, then scroll down to `Secret scanning`.

1. Review the default settings. Push protection for supported secrets should be enabled with everything else being disabled. The secret the repo contains is not a supported secret, so it will not be detected. Supported secrets are API keys, OAuth tokens, and personal access tokens from well-known providers.

1. Enable `Scan for generic secrets` and `Non-provider patterns`. GitHub will then scan the repo for broader range of secrets. It should find the secret in the repo.
1. Click the top tab `Security`, then side tab `Secret scanning`. You should see the secret that was found in the repo. Most likely it will be listed under `Secret scanning` > `Experimental`.
1. Review the secret alert, and then decide how to handle it. Select `Revoked` and type a comment.
```text
Removed from the Tools App REST API configuration.
```
1. Revoking the secret will remove it from the secret scanning alert list, but the secret will still be in the repo. You will need to remove it manually.
43 changes: 43 additions & 0 deletions demos/02_custom-pattern-secret-scanning.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,43 @@
# Custom Pattern Secret Scanning

1. Ensure you have a GitHub Advanced Security license. Check with you administrator if you are unsure.

1. Clone the public repo, `https://github.com/ewg-atmosera/toolsapp-svelte-website`, to your local computer.

```sh
git clone https://github.com/ewg-atmosera/toolsapp-svelte-website
```

1. Create a new repo in your GitHub account named `toolsapp-svelte-website`, and push the clone repo to it.

```sh
git remote add explore-secret-scanning <YOUR GIT REPO URL>
```

```sh
git push explore-secret-scanning main
```

1. In your new repo, click the top tab `Settings`, then side tab `Code Security`, then scroll down to `Secret scanning` -> `Custom patterns`.

1. Click the button `New pattern`.

1. Name the pattern "Organization".

1. Enter the following value into the `Secret format` field.

```text
'Organization': '[0-9A-Z]{6}'
```

1. Enter the following value into the `Test string` field.

```text
'Organization': '1D5GHT'
```

1. Click the `Save and dry run` button. GitHub will save the custom pattern and queue up the pattern to search the repo. The dry run will show the results of the pattern search. Once it is done, publish the pattern.

1. The pattern should cause a secret alert to be generated. Click the top tab `Security`, then side tab `Secret scanning`. You should see the secret that was found in the repo. Most likely it will be listed under `Secret scanning`.

1. Custom patterns can be used to search for secrets that are not supported by the default secret scanning. This can be useful for finding secrets that are unique to your organization.
65 changes: 65 additions & 0 deletions demos/03_remove-secret-from-repo.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,65 @@
# Remove Secret from Repo

## Secret in Last Commit

Removing a secret from the last commit is easy. Simply, amend the last commit and push the changes.

```bash
git add <FILE_CHANGED>
```

```bash
git commit --amend
```

```bash
git push -f
```

## Secret in Previous Commits

This is more complicated, and requires rewriting the Git history to remove the secret. This particular example requires Python to be installed.

1. Install the `git-filter-repo` package.

```sh
pip install git-filter-repo
```

1. Run the following command to remove the secret from the entire Git history. Replace `your-secret` with the actual secret you want to remove. This command will rewrite the Git command history, so be careful when using it, and notify your team members before doing so.

```sh
git filter-repo --path-glob '*' --replace-text <(echo "your-secret==>REMOVED_SECRET")
```

**Note:** This command expects to be performed on a freshly cloned repo. If your repo is not freshly cloned (such as having multiple remotes), you may need to use the `--force` flag.

```sh
git filter-repo --force --path-glob '*' --replace-text <(echo "your-secret==>REMOVED_SECRET")
```

1. Next, the repo needs to be cleaned up. The following commands will remove the original refs and expire the reflog, and then run the garbage collector to prune the repo. If this is not done, the original commits can still be accessed.

```sh
rm -rf .git/refs/original/
```

```sh
git reflog expire --expire=now --all
```

```sh
git gc --prune=now --aggressive
```

1. Push the changes to the remote repository. This will overwrite the remote history with the new history, please notify your team members before doing so.

```sh
git push origin --force --all
```

```sh
git push origin --force --tags
```

1. Update any secret scanning alerts as appropriate.
Loading

0 comments on commit 55017e9

Please sign in to comment.