Data

Tools

Indexes

Applications

Experiments

Awesome

An open API service indexing awesome lists of open source software.

https://github.com/github-samples/securing-your-code

Securing your Code with GitHub workshop
https://github.com/github-samples/securing-your-code

code-security dependabot dependency-graph ghas secrets-detection

Last synced: 5 months ago
JSON representation

Securing your Code with GitHub workshop

Awesome Lists containing this project

README 

          


Securing your code with GitHub





@joshjohanning @mickeygousset

@writingpanda

@felickz

@tspascoal






  Workshop Labs

  Resources




- **Who is this for**: Enterprise - Engineering Leadership, Enterprise - Developers, Open Source Developers or Maintainers, Security Professionals, Startups, Security Leadership, Educators

- **What you'll learn**: Here at GitHub, we like to say that "found means fixed." That's because when issues are found they can more easily be fixed. In this workshop you'll dive into a repository filled with security alerts and begin to remediate them using GitHub Advanced Security (GHAS) and Dependabot, effectively maintaining code integrity. You'll also encounter and resolve a few security issues using Copilot Autofix. The end goal? To learn and develop strategies to motivate your developers to turn reactive fixes into proactive security habits.



See [requirements](_labs/requirements.md) to see what is needed to run this lab.



---



## Workshop Labs



### Lab 1 - GitHub Advanced Security Feature Introduction



This lab will introduce you to GitHub Advanced Security (GHAS) and its features.



- Get started here - [Lab 1](./_labs/lab1.md)



---



### Lab 2 - Reviewing and Managing Security Alerts



This lab will show you how to review and managed the alerts created in Lab 1.



- Get started here - [Lab 2](./_labs/lab2.md)



---



### Lab 3 - Hands-on with Code Scanning



This lab will have you add some bad code, utilize repository rulesets to block the code, and Copilot Autofix to fix the code.



- Get started here - [Lab 3](./_labs/lab3.md)



---



### Lab 4 - Hands-on with Dependency Review



This lab will have you utilize the Dependency Review action to stop a bad vulnerability in a pull request.



- Get started here - [Lab 4](./_labs/lab4.md)



---



### Lab 5 - Hands-on with Secret Scanning



This lab will have you utilize Secret Scanning with Push Protection to prevent secrets from entering the codebase.



- Get started here - [Lab 5](./_labs/lab5.md)



---



### Lab 6 - Hands-on with Security Overview



This lab will teach you how to effectively use the Security Overview to review and alerts and coverage in an organization.



- Get started here - [Lab 6](./_labs/lab6.md)



---



### Extra Credit: Advanced CodeQL Setup



This open-ended extra credit lab will have you switch to the advanced CodeQL setup.



- Get started here - [Extra Credit Lab 1](./_labs/lab7-ec.md)



---



### Extra Credit: Custom Patterns for Secret Scanning



This open-ended extra credit lab will have you create a custom secret scanning pattern.



- Get started here - [Extra Credit Lab 2](./_labs/lab8-ec.md)



---



## :book: Resources



- [GitHub Docs - About GitHub Advanced Security](https://docs.github.com/en/get-started/learning-about-github/about-github-advanced-security)

- [GitHub Security Learning Pathway](https://resources.github.com/learn/pathways/security/)



## License 



### Securing your code with GitHub



This project is licensed under the terms of the MIT open source license. Please refer to [MIT](./LICENSE) for the full terms.



### OWASP Juice Shop



This lab uses and includes sample code from the OWASP Juice Shop project. The Juice Shop is Copyright (c) 2014-2024 Bjoern Kimminich & the OWASP Juice Shop contributors. Please refer to the [LICENSE](./LICENSE) for the full terms.