https://github.com/timothywarner-org/globomantics-ghas-dashboard
GitHub Advanced Security Dashboard - Teaching artifact for GH-500 certification prep | Pluralsight | Real GHAS data visualization
https://github.com/timothywarner-org/globomantics-ghas-dashboard
certification codeql dashboard dependabot education ghas github-advanced-security nodejs pluralsight react security training
Last synced: 4 months ago
JSON representation
GitHub Advanced Security Dashboard - Teaching artifact for GH-500 certification prep | Pluralsight | Real GHAS data visualization
- Host: GitHub
- URL: https://github.com/timothywarner-org/globomantics-ghas-dashboard
- Owner: timothywarner-org
- License: mit
- Created: 2026-01-26T13:50:36.000Z (4 months ago)
- Default Branch: main
- Last Pushed: 2026-01-26T17:30:41.000Z (4 months ago)
- Last Synced: 2026-01-27T03:34:02.743Z (4 months ago)
- Topics: certification, codeql, dashboard, dependabot, education, ghas, github-advanced-security, nodejs, pluralsight, react, security, training
- Language: JavaScript
- Homepage: https://techtrainertim.com
- Size: 1.02 MB
- Stars: 0
- Watchers: 0
- Forks: 0
- Open Issues: 12
-
Metadata Files:
- Readme: README.md
- Contributing: CONTRIBUTING.md
- License: LICENSE
- Code of conduct: CODE_OF_CONDUCT.md
- Security: SECURITY.md
- Agents: AGENTS.md
Awesome Lists containing this project
README
---
:robot: Globomantics GHAS Dashboard
A Real-World Training Repository for GitHub Advanced Security (GH-500) Certification
Globomantics Robotics - Platform Engineering Division
---
## :dart: What Is This?
A **real, non-toy web application** that visualizes GitHub Advanced Security data for its own repository. Built as a **teaching artifact** for **GH-500: GitHub Advanced Security** certification preparation on Pluralsight.
This is not a simple demo - it's a full-stack React + Express application that *practices what it preaches* by monitoring **its own security posture**.
---
## :brain: The "Dogfooding" Architecture
This dashboard demonstrates a **self-referential security monitoring pattern** - it intentionally contains vulnerable dependencies so learners can observe *real* GHAS features in action:
```
+=====================================================================+
| SELF-REFERENTIAL DEMO ARCHITECTURE |
+=====================================================================+
| |
| +---------------------------------------------------------------+ |
| | package.json | |
| | Contains INTENTIONALLY VULNERABLE dependencies: | |
| | - lodash@4.17.20, axios@0.21.1, node-fetch@2.6.1 | |
| | - minimist@1.2.5, tar@4.4.13, glob-parent@5.1.1 | |
| +---------------------------------------------------------------+ |
| | |
| v |
| +---------------------------------------------------------------+ |
| | GitHub Advanced Security (GHAS) | |
| | - Dependency Graph parses manifest | |
| | - Advisory Database matches CVEs | |
| | - Dependabot creates alerts | |
| +---------------------------------------------------------------+ |
| | |
| v |
| +---------------------------------------------------------------+ |
| | Dashboard Express API | |
| | GET /api/alerts -> Fetches Dependabot alerts via Octokit | |
| | GET /api/dependencies -> Parses package.json + correlates CVEs| |
| +---------------------------------------------------------------+ |
| | |
| v |
| +---------------------------------------------------------------+ |
| | React Frontend (Vite) | |
| | Displays: Real CVEs | Real Alerts | Real Security Data | |
| | Learners see LIVE GHAS data from THIS repository | |
| +---------------------------------------------------------------+ |
| |
+=====================================================================+
Learners observe the COMPLETE supply chain security loop
```
---
## :mortar_board: GH-500 Exam Domain Alignment
The GH-500 certification covers five domains. This dashboard is optimized for **Domain 3**, which carries the highest exam weight:
| Domain | Weight | Topic | Dashboard Coverage |
|:------:|:------:|-------|-------------------|
| 1 | 15% | **GHAS Features Overview** | :white_check_mark: Full visibility into all GHAS features |
| 2 | 15% | **Secret Scanning** | :construction: Planned for future release |
| **3** | **35%** | **Dependencies, Alerts, Dependency Review** | :star: **PRIMARY FOCUS** - Full coverage with live demos |
| 4 | 25% | **CodeQL Analysis** | :white_check_mark: CodeQL workflow with security-extended queries |
| 5 | 10% | **Best Practices** | :white_check_mark: Workflow best practices demonstrated |
> :bulb: **Exam Tip:** Domain 3 is the largest portion of the exam at 35%. This dashboard provides hands-on experience with every concept in that domain.
---
## :rocket: Quick Start
### Prerequisites
| Requirement | Details |
|-------------|---------|
| **Node.js** | Version 20.0.0 or higher |
| **GitHub PAT** | Personal Access Token with `repo` and `security_events` scopes |
| **Git** | For cloning the repository |
### Installation
```bash
# Clone the repository
git clone https://github.com/timothywarner-org/globomantics-ghas-dashboard.git
cd globomantics-ghas-dashboard
# Install dependencies
npm install
# Configure environment variables
cp .env.example .env
# Edit .env and add your GITHUB_TOKEN
# Start development servers
npm run dev
```
### Access the Application
| Service | URL | Description |
|---------|-----|-------------|
| **Frontend** | http://localhost:5173 | React dashboard UI |
| **Backend API** | http://localhost:3001 | Express REST API |
---
## :warning: Intentional Vulnerabilities
> **EDUCATIONAL PURPOSE ONLY** - This repository contains **pinned vulnerable dependencies** to trigger GHAS features. **Do NOT use these versions in production!**
| Package | Version | CVE | Severity | Vulnerability Type |
|---------|:-------:|-----|:--------:|-------------------|
| `lodash` | 4.17.20 | CVE-2021-23337 | :red_circle: **Critical** | Command Injection |
| `lodash` | 4.17.20 | CVE-2020-28500 | :orange_circle: High | ReDoS |
| `minimist` | 1.2.5 | CVE-2021-44906 | :red_circle: **Critical** | Prototype Pollution |
| `axios` | 0.21.1 | CVE-2021-3749 | :orange_circle: High | ReDoS |
| `node-fetch` | 2.6.1 | CVE-2022-0235 | :orange_circle: High | Information Exposure |
| `tar` | 4.4.13 | CVE-2021-32803 | :orange_circle: High | Arbitrary File Write |
| `tar` | 4.4.13 | CVE-2021-32804 | :orange_circle: High | Arbitrary File Write |
| `glob-parent` | 5.1.1 | CVE-2020-28469 | :orange_circle: High | ReDoS |
| `trim-newlines` | 3.0.0 | CVE-2021-33623 | :orange_circle: High | ReDoS |
| `path-parse` | 1.0.6 | CVE-2021-23343 | :orange_circle: High | ReDoS |
These packages exist **solely** to generate Dependabot alerts and demonstrate the dependency review action.
---
## :building_construction: Architecture Overview
### Tech Stack
```
+---------------------------+ +---------------------------+
| FRONTEND | | BACKEND |
+---------------------------+ +---------------------------+
| React 18 | | Express 4.18 |
| Vite 5 (dev server) | | Octokit REST Client |
| TanStack Query | | CORS + Helmet middleware |
| Tailwind CSS 3.4 | | Rate limiting |
| Recharts (visualizations) | | In-memory caching |
| Lucide React (icons) | | |
+---------------------------+ +---------------------------+
Port 5173 Port 3001
```
### Project Structure
```
globomantics-ghas-dashboard/
├── .github/
│ ├── workflows/
│ │ ├── ci.yml # Build/test pipeline
│ │ ├── dependency-review.yml # Blocks PRs with new vulns
│ │ └── codeql.yml # JavaScript security scanning
│ └── dependabot.yml # Automated updates config
├── src/
│ ├── client/ # React frontend (Vite)
│ │ ├── components/ # UI components
│ │ ├── pages/ # Route pages
│ │ ├── hooks/ # Custom React hooks
│ │ └── api/ # API client functions
│ └── server/ # Express backend
│ ├── routes/ # API route handlers
│ ├── github/ # Octokit client setup
│ └── middleware/ # Express middleware
├── docs/
│ ├── DEMO-RUNBOOK-M5.md # Module 5 demo script
│ └── DEMO-RUNBOOK-M6.md # Module 6 demo script
├── package.json # Includes intentional vulns
└── README.md # You are here!
```
### API Endpoints
| Endpoint | Method | Description |
|----------|:------:|-------------|
| `/api/repo` | GET | Repository metadata and GHAS feature status |
| `/api/alerts` | GET | Dependabot alerts with severity breakdown |
| `/api/dependencies` | GET | Parsed dependencies with CVE correlation |
| `/api/pull-requests` | GET | PRs with dependency changes and review status |
---
## :gear: GitHub Actions Workflows
This repository includes three workflows that demonstrate GHAS concepts:
### 1. CI Pipeline (`ci.yml`)
**Purpose:** Standard build and test validation
```yaml
- Runs on: push and pull_request to main
- Steps: Checkout → Setup Node 20 → Install → Lint → Test → Build
```
**Teaching Value:** Shows baseline CI that integrates with security workflows.
---
### 2. Dependency Review (`dependency-review.yml`)
**Purpose:** :shield: **Proactive PR-time security gate** (Domain 3)
```yaml
- uses: actions/dependency-review-action@v4
with:
fail-on-severity: high # Block high/critical CVEs
deny-licenses: GPL-3.0, AGPL-3.0 # Block copyleft licenses
comment-summary-in-pr: always # Post findings on PR
fail-on-scopes: runtime, development
```
**Teaching Value:** Demonstrates shift-left security by blocking vulnerable dependencies *before* they merge.
> :bulb: **Exam Tip:** The dependency review action is **proactive** (blocks at PR time), while Dependabot alerts are **reactive** (notify after merge).
---
### 3. CodeQL Analysis (`codeql.yml`)
**Purpose:** :mag: Semantic code scanning for security vulnerabilities (Domain 4)
```yaml
- uses: github/codeql-action/init@v3
with:
languages: javascript-typescript
queries: security-extended # Enhanced query suite
```
**Teaching Value:** Shows how CodeQL builds a database from source code and runs security queries.
> :bulb: **Exam Tip:** CodeQL runs on push, PR, and schedule (weekly) to catch newly discovered vulnerability patterns.
---
## :book: Demo Runbooks
Detailed step-by-step demo scripts for Pluralsight recordings:
| Module | Document | Duration | Topics |
|:------:|----------|:--------:|--------|
| **5** | [DEMO-RUNBOOK-M5.md](docs/DEMO-RUNBOOK-M5.md) | 10-13 min | Dependency Graph, SBOM Export, Alert Mechanics |
| **6** | [DEMO-RUNBOOK-M6.md](docs/DEMO-RUNBOOK-M6.md) | 10-13 min | Dependabot Config, Grouped Updates, Dependency Review Action |
Each runbook includes:
- Prerequisites checklist
- Click-by-click navigation
- Talking points and exam tips
- PowerShell/CLI commands
- Troubleshooting guides
---
## :key: Environment Variables
| Variable | Required | Default | Description |
|----------|:--------:|---------|-------------|
| `GITHUB_TOKEN` | :white_check_mark: Yes | - | GitHub PAT with `repo` and `security_events` scopes |
| `GITHUB_OWNER` | No | `timothywarner-org` | Repository owner/organization |
| `GITHUB_REPO` | No | `globomantics-ghas-dashboard` | Repository name |
| `PORT` | No | `3001` | Backend server port |
| `CACHE_TTL` | No | `300000` | API cache TTL in milliseconds (5 min) |
### Creating a GitHub Personal Access Token
1. Go to **GitHub Settings** > **Developer settings** > **Personal access tokens** > **Tokens (classic)**
2. Click **Generate new token (classic)**
3. Select scopes:
- :white_check_mark: `repo` (Full control of private repositories)
- :white_check_mark: `security_events` (Read and write security events)
4. Copy the token to your `.env` file
---
## :busts_in_silhouette: Contributing
This is a **teaching artifact** for Pluralsight courses. Contributions that enhance the educational value are welcome!
### Contribution Guidelines
| Category | Welcome? | Examples |
|----------|:--------:|----------|
| Bug fixes | :white_check_mark: Yes | API errors, UI issues |
| Documentation | :white_check_mark: Yes | Typos, clarifications, exam tips |
| New GHAS demos | :white_check_mark: Yes | Secret scanning, code scanning rules |
| Production hardening | :x: No | Updating vulnerable packages defeats the purpose! |
### How to Contribute
1. Fork the repository
2. Create a feature branch (`git checkout -b feature/amazing-demo`)
3. Commit your changes (`git commit -m 'Add amazing demo'`)
4. Push to the branch (`git push origin feature/amazing-demo`)
5. Open a Pull Request
> :warning: **Important:** Do not submit PRs that update the intentionally vulnerable packages. The Dependency Review Action will block them anyway!
---
## :teacher: Author
Tim Warner
Microsoft MVP | Pluralsight Author | Cloud Security Trainer
:email: tim@techtrainertim.com
:globe_with_meridians: techtrainertim.com
:briefcase: LinkedIn
:bird: @TechTrainerTim
---
## :page_facing_up: License
This project is licensed under the **MIT License** - see the [LICENSE](LICENSE) file for details.
```
MIT License
Copyright (c) 2026 Timothy Warner Organization
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction...
```
---
## :link: Resources
### Official Documentation
- [GitHub Advanced Security Documentation](https://docs.github.com/en/get-started/learning-about-github/about-github-advanced-security)
- [Dependabot Documentation](https://docs.github.com/en/code-security/dependabot)
- [CodeQL Documentation](https://codeql.github.com/docs/)
- [GitHub Advisory Database](https://github.com/advisories)
### Certification
- [GitHub Certifications Overview](https://resources.github.com/learn/certifications/)
- [GH-500: GitHub Advanced Security Exam](https://resources.github.com/learn/certifications/)
### Pluralsight
- [Pluralsight GitHub Learning Paths](https://www.pluralsight.com/)
---
Built for GH-500: GitHub Advanced Security Certification Preparation
Globomantics Robotics - Platform Engineering Division
:star: Star this repo if it helped your certification journey! :star: