-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
b6ff7d0
commit 8f09393
Showing
27 changed files
with
596 additions
and
338 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1 +1,3 @@ | ||
app/js/node_modules/ | ||
node_modules | ||
.DS_Store | ||
.mypy_cache |
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,41 @@ | ||
# GitHub Advanced Security for Developers | ||
|
||
## Overview | ||
|
||
This repository contains the courseware for the GitHub Advanced Security for Developers course. The course is designed to help develoeprs understand how to secure their code using GitHub Advanced Security. | ||
|
||
## Course Documents | ||
|
||
- [Course Outline](./docs/GitHubAdvancedSecurityDeveloperTrainingOutline.pdf) | ||
- [Course Slides](./docs/GitHubAdvancedSecurityDeveloperTrainingSlides.pdf) | ||
- [Scripting GitHub Advanced Security](./scripts/scripts.md) | ||
- [Glossary](./docs/glossary.md) | ||
|
||
## Demos | ||
|
||
- [01 - Non-Provider Secret Scanning](./demos/01_non-provider-secret-scanning.md) | ||
- [02 - Custom Pattern Secret Scanning](./demos/02_custom-pattern-secret-scanning.md) | ||
- [03 - Remove Secret from Repo](./demos/03_remove-secret-from-repo.md) | ||
- [04 - CodeQL Default Setup](./demos/04_codeql_default_setup.md) | ||
- [05 - CodeQL Advanced Setup](./demos/05_codeql_advanced_setup.md) | ||
- [06 - CodeQL Manual Trigger](./demos/06_codeql_manual_trigger.md) | ||
- [07 - Integrate with Third-Party Scanner](./demos/07_integrate_with_third_party_scanner.md) | ||
- [08 - Dependabot Default](./demos/08_dependabot_default.md) | ||
- [09 - Dependabot Custom](./demos/09_dependabot_custom.md) | ||
- [10 - Security Policy](./demos/10_security_policy.md) | ||
|
||
## Repos for Demos | ||
|
||
- [Tools App Svelte Website](https://github.com/ewg-atmosera/toolsapp-svelte-website) | ||
- [C++ Buffer Overflow](https://github.com/ewg-atmosera/buffer-overflow-cpp) | ||
- [Flask App](https://github.com/ewg-atmosera/flask_app) | ||
- [Swiss Cheese](https://github.com/ewg-atmosera/swiss-cheese) | ||
|
||
## Resources | ||
|
||
- [GHAS](https://learn.microsoft.com/en-us/users/githubtraining/collections/rqymc6yw8q5rey) | ||
- [Actions](https://learn.microsoft.com/en-us/collections/n5p4a5z7keznp5) | ||
- [Administration](https://learn.microsoft.com/en-us/collections/mom7u1gzjdxw03) | ||
- [GitHub Advanced Security solutions](https://github.com/advanced-security/) | ||
- [Code Security and Scanning](https://docs.github.com/en/code-security/code-scanning/) | ||
- [Secret Scanning](https://docs.github.com/en/code-security/secret-scanning/) |
This file was deleted.
Oops, something went wrong.
This file was deleted.
Oops, something went wrong.
This file was deleted.
Oops, something went wrong.
This file was deleted.
Oops, something went wrong.
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,47 @@ | ||
# Non-Provider Secret Scanning | ||
|
||
## Useful Links | ||
|
||
- [Secret Scanning](https://docs.github.com/en/code-security/secret-scanning) | ||
- [Supported Secret](https://docs.github.com/en/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#supported-secrets) | ||
|
||
## Instructions | ||
|
||
1. Ensure you have a GitHub Advanced Security license. Check with you administrator if you are unsure. | ||
|
||
1. Clone the public repo, `https://github.com/ewg-atmosera/toolsapp-svelte-website`, to your local computer. | ||
|
||
```sh | ||
git clone https://github.com/ewg-atmosera/toolsapp-svelte-website | ||
``` | ||
|
||
1. Create a new repo in your GitHub account named `toolsapp-svelte-website`, and push the clone repo to it. | ||
|
||
```sh | ||
git remote add explore-secret-scanning <YOUR GIT REPO URL> | ||
``` | ||
|
||
```sh | ||
git push explore-secret-scanning main | ||
``` | ||
|
||
1. In your new repo, click the top tab `Settings`, then side tab `Code Security`, then scroll down to `Secret scanning`. | ||
|
||
1. Review the default settings. Push protection for supported secrets should be enabled with everything else being disabled. The secret the repo contains is not a supported secret, so it will not be detected. Supported secrets are API keys, OAuth tokens, and personal access tokens from well-known providers. | ||
|
||
1. Enable `Scan for generic secrets` and `Non-provider patterns`. GitHub will then scan the repo for broader range of secrets. It should find the secret in the repo. | ||
1. Click the top tab `Security`, then side tab `Secret scanning`. You should see the secret that was found in the repo. Most likely it will be listed under `Secret scanning` > `Experimental`. | ||
1. Review the secret alert, and then decide how to handle it. Select `Revoked` and type a comment. | ||
```text | ||
Removed from the Tools App REST API configuration. | ||
``` | ||
1. Revoking the secret will remove it from the secret scanning alert list, but the secret will still be in the repo. You will need to remove it manually. | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,49 @@ | ||
# Custom Pattern Secret Scanning | ||
|
||
## Useful Links | ||
|
||
- [Custom Secret Scanning](https://docs.github.com/en/enterprise-cloud@latest/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning) | ||
|
||
## Instructions | ||
|
||
1. Ensure you have a GitHub Advanced Security license. Check with you administrator if you are unsure. | ||
|
||
1. Clone the public repo, `https://github.com/ewg-atmosera/toolsapp-svelte-website`, to your local computer. | ||
|
||
```sh | ||
git clone https://github.com/ewg-atmosera/toolsapp-svelte-website | ||
``` | ||
|
||
1. Create a new repo in your GitHub account named `toolsapp-svelte-website`, and push the clone repo to it. | ||
|
||
```sh | ||
git remote add explore-secret-scanning <YOUR GIT REPO URL> | ||
``` | ||
|
||
```sh | ||
git push explore-secret-scanning main | ||
``` | ||
|
||
1. In your new repo, click the top tab `Settings`, then side tab `Code Security`, then scroll down to `Secret scanning` -> `Custom patterns`. | ||
|
||
1. Click the button `New pattern`. | ||
|
||
1. Name the pattern "Organization". | ||
|
||
1. Enter the following value into the `Secret format` field. | ||
|
||
```text | ||
'Organization': '[0-9A-Z]{6}' | ||
``` | ||
|
||
1. Enter the following value into the `Test string` field. | ||
|
||
```text | ||
'Organization': '1D5GHT' | ||
``` | ||
|
||
1. Click the `Save and dry run` button. GitHub will save the custom pattern and queue up the pattern to search the repo. The dry run will show the results of the pattern search. Once it is done, publish the pattern. | ||
|
||
1. The pattern should cause a secret alert to be generated. Click the top tab `Security`, then side tab `Secret scanning`. You should see the secret that was found in the repo. Most likely it will be listed under `Secret scanning`. | ||
|
||
1. Custom patterns can be used to search for secrets that are not supported by the default secret scanning. This can be useful for finding secrets that are unique to your organization. |
Oops, something went wrong.