Skip to content

Commit

Permalink
clean up courseware
Browse files Browse the repository at this point in the history
  • Loading branch information
ericwgreene committed Dec 14, 2024
1 parent b6ff7d0 commit b70e042
Show file tree
Hide file tree
Showing 27 changed files with 604 additions and 338 deletions.
4 changes: 3 additions & 1 deletion .gitignore
Original file line number Diff line number Diff line change
@@ -1 +1,3 @@
app/js/node_modules/
node_modules
.DS_Store
.mypy_cache
94 changes: 0 additions & 94 deletions OUTLINE.md

This file was deleted.

49 changes: 49 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,49 @@
# GitHub Advanced Security for Developers

## Overview

This repository contains the courseware for the GitHub Advanced Security for Developers course. The course is designed to help develoeprs understand how to secure their code using GitHub Advanced Security.

## Schedule

- Session is approximately 3 hours
- One 15 minute break about halfway through
- First 2 hours are lecture and demos
- Last hour is Q&A
- There are no independent labs, but the demos are scripted so you can follow along or explore them on your own following the session

## Course Documents

- [Course Outline](./docs/GitHubAdvancedSecurityDeveloperTrainingOutline.pdf)
- [Course Slides](./docs/GitHubAdvancedSecurityDeveloperTrainingSlides.pdf)
- [Scripting GitHub Advanced Security](./scripts/scripts.md)
- [Glossary](./docs/glossary.md)

## Demos

- [01 - Non-Provider Secret Scanning](./demos/01_non-provider-secret-scanning.md)
- [02 - Custom Pattern Secret Scanning](./demos/02_custom-pattern-secret-scanning.md)
- [03 - Remove Secret from Repo](./demos/03_remove-secret-from-repo.md)
- [04 - CodeQL Default Setup](./demos/04_codeql_default_setup.md)
- [05 - CodeQL Advanced Setup](./demos/05_codeql_advanced_setup.md)
- [06 - CodeQL Manual Trigger](./demos/06_codeql_manual_trigger.md)
- [07 - Integrate with Third-Party Scanner](./demos/07_integrate_with_third_party_scanner.md)
- [08 - Dependabot Default](./demos/08_dependabot_default.md)
- [09 - Dependabot Custom](./demos/09_dependabot_custom.md)
- [10 - Security Policy](./demos/10_security_policy.md)

## Repos for Demos

- [Tools App Svelte Website](https://github.com/ewg-atmosera/toolsapp-svelte-website)
- [C++ Buffer Overflow](https://github.com/ewg-atmosera/buffer-overflow-cpp)
- [Flask App](https://github.com/ewg-atmosera/flask_app)
- [Swiss Cheese](https://github.com/ewg-atmosera/swiss-cheese)

## Resources

- [GHAS](https://learn.microsoft.com/en-us/users/githubtraining/collections/rqymc6yw8q5rey)
- [Actions](https://learn.microsoft.com/en-us/collections/n5p4a5z7keznp5)
- [Administration](https://learn.microsoft.com/en-us/collections/mom7u1gzjdxw03)
- [GitHub Advanced Security solutions](https://github.com/advanced-security/)
- [Code Security and Scanning](https://docs.github.com/en/code-security/code-scanning/)
- [Secret Scanning](https://docs.github.com/en/code-security/secret-scanning/)
40 changes: 0 additions & 40 deletions analysis/copilot-chat-security.md

This file was deleted.

1 change: 0 additions & 1 deletion app/py/__init__.py

This file was deleted.

6 changes: 0 additions & 6 deletions app/py/exec.py

This file was deleted.

32 changes: 0 additions & 32 deletions app/py/login.py

This file was deleted.

51 changes: 0 additions & 51 deletions app/py/requirements.txt

This file was deleted.

47 changes: 47 additions & 0 deletions demos/01_non-provider-secret-scanning.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,47 @@
# Non-Provider Secret Scanning

## Useful Links

- [Secret Scanning](https://docs.github.com/en/code-security/secret-scanning)
- [Supported Secret](https://docs.github.com/en/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#supported-secrets)

## Instructions

1. Ensure you have a GitHub Advanced Security license. Check with you administrator if you are unsure.

1. Clone the public repo, `https://github.com/ewg-atmosera/toolsapp-svelte-website`, to your local computer.

```sh
git clone https://github.com/ewg-atmosera/toolsapp-svelte-website
```

1. Create a new repo in your GitHub account named `toolsapp-svelte-website`, and push the clone repo to it.

```sh
git remote add explore-secret-scanning <YOUR GIT REPO URL>
```

```sh
git push explore-secret-scanning main
```

1. In your new repo, click the top tab `Settings`, then side tab `Code Security`, then scroll down to `Secret scanning`.

1. Review the default settings. Push protection for supported secrets should be enabled with everything else being disabled. The secret the repo contains is not a supported secret, so it will not be detected. Supported secrets are API keys, OAuth tokens, and personal access tokens from well-known providers.

1. Enable `Scan for generic secrets` and `Non-provider patterns`. GitHub will then scan the repo for broader range of secrets. It should find the secret in the repo.
1. Click the top tab `Security`, then side tab `Secret scanning`. You should see the secret that was found in the repo. Most likely it will be listed under `Secret scanning` > `Experimental`.
1. Review the secret alert, and then decide how to handle it. Select `Revoked` and type a comment.
```text
Removed from the Tools App REST API configuration.
```
1. Revoking the secret will remove it from the secret scanning alert list, but the secret will still be in the repo. You will need to remove it manually.
49 changes: 49 additions & 0 deletions demos/02_custom-pattern-secret-scanning.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,49 @@
# Custom Pattern Secret Scanning

## Useful Links

- [Custom Secret Scanning](https://docs.github.com/en/enterprise-cloud@latest/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning)

## Instructions

1. Ensure you have a GitHub Advanced Security license. Check with you administrator if you are unsure.

1. Clone the public repo, `https://github.com/ewg-atmosera/toolsapp-svelte-website`, to your local computer.

```sh
git clone https://github.com/ewg-atmosera/toolsapp-svelte-website
```

1. Create a new repo in your GitHub account named `toolsapp-svelte-website`, and push the clone repo to it.

```sh
git remote add explore-secret-scanning <YOUR GIT REPO URL>
```

```sh
git push explore-secret-scanning main
```

1. In your new repo, click the top tab `Settings`, then side tab `Code Security`, then scroll down to `Secret scanning` -> `Custom patterns`.

1. Click the button `New pattern`.

1. Name the pattern "Organization".

1. Enter the following value into the `Secret format` field.

```text
'Organization': '[0-9A-Z]{6}'
```

1. Enter the following value into the `Test string` field.

```text
'Organization': '1D5GHT'
```

1. Click the `Save and dry run` button. GitHub will save the custom pattern and queue up the pattern to search the repo. The dry run will show the results of the pattern search. Once it is done, publish the pattern.

1. The pattern should cause a secret alert to be generated. Click the top tab `Security`, then side tab `Secret scanning`. You should see the secret that was found in the repo. Most likely it will be listed under `Secret scanning`.

1. Custom patterns can be used to search for secrets that are not supported by the default secret scanning. This can be useful for finding secrets that are unique to your organization.
Loading

0 comments on commit b70e042

Please sign in to comment.