Merge pull request #5 from Ignite-GHAS-Workshop/public-to-private-ghas-enabled

Public to private ghas enabled

Author: WritingPanda

README.md

@@ -59,11 +59,28 @@ This lab will have you utilize Secret Scanning with Push Protection to prevent s
 
 ---
 
+### Lab 6 - Hands-on with Security Overview
+
+This lab will teach you how to effectively use the Security Overview to review and alerts and coverage in an organization.
+
+- Get started here - [Lab 6](./_labs/lab6.md)
+
+---
+
+
 ### Extra Credit: Advanced CodeQL Setup
 
 This open-ended extra credit lab will have you switch to the advanced CodeQL setup.
 
-- Get started here - [Extra Credit Lab 1](./_labs/lab6-ec.md)
+- Get started here - [Extra Credit Lab 1](./_labs/lab7-ec.md)
+
+---
+
+### Extra Credit: Custom Patterns for Secret Scanning
+
+This open-ended extra credit lab will have you create a custom secret scanning pattern.
+
+- Get started here - [Extra Credit Lab 2](./_labs/lab8-ec.md)
 
 ---
 

_labs/lab1.md

@@ -7,9 +7,9 @@ Welcome! In this lab, you will be introduced to GitHub Advanced Security (GHAS)
 > We recommend opening up two browser windows, one with the lab and one with the working copy of your repo!
 -->
 
-## Forking the repository
+## Creating the repository
 
-In this exercise, you will fork a repository with code from which you can work to test our the GHAS capabilities.
+In this exercise, you will create a repository with code from which you can work to test the GHAS capabilities.
 
 1. Navigate to +++https://github.com/Ignite-GHAS-Workshop/ghas-workshop-repo+++ in your browser.
 2. Click the green **Use this template** button in the upper right corner of the page.
@@ -44,22 +44,29 @@ Although Dependabot isn't part of the GitHub Advanced Security product suite, it
 ### Exercise 2: Enable Code Scanning
 
 1. Next, let's enable **Code Scanning with CodeQL**. These settings are also under the **Code security** settings page.
-2. Underneath the Code Scanning heading, click the **Set up** button in the **CodeQL analysis** row.
-3. There are two options: **Default** and **Advanced**. Select the **Default** option and review the settings.
+2. Click the **Enable** button next to GitHub Advanced Security.
+3. A prompt will confirm that you want to **Enable GitHub Advanced Security for this repository** - click the button.
+    - The prompt tells you how many GitHub Advanced Security licenses you would consume by enabling this feature - which is useful if you are an organization owner and want to ensure you have enough licenses for your organization.
+4. Underneath the **GitHub Advanced Security | Code scanning** heading, click the **Set up** button in the **CodeQL analysis** row.
+
+> [!NOTE]  
+> If you do not see the **Code scanning** heading on the **Code security** page after enabling **GitHub Advanced Security** -   you have likely not created your repo in the proper Organization.  Go back to the beginning of this lab and ensure you choose **Ignite24-Labs** value from the dropdown as the new repository **Owner** when you choose **Use this template** .
+
+5. There are two options: **Default** and **Advanced**. Select the **Default** option and review the settings.
     - For this lab, we will use the **Default** setup which creates a managed Actions workflow (i.e. you will not see a file committed to the repo). You can use the Advanced option to manage your code scanning workflow as a GitHub Actions workflow YAML file committed to the repo. The **Default** option is a great option to get started quickly to enable code scanning in a repository without needing to commit any additional code.
     - By default, it will scan the JavaScript code, use the default CodeQL queries (for highest precision), and scan the default branch on push, pull request, and on a weekly schedule.
 
 <details>
   ![image](images/lab-1-2-1.png)
 </details>
 
-4. Click the **Enable CodeQL** button to save the settings and enable Code Scanning.
+6. Click the **Enable CodeQL** button to save the settings and enable Code Scanning.
 
 <details>
   ![image](images/lab-1-2-2.png)
 </details>
 
-5. Ensure that **Copilot Autofix** is enabled (in the **Code Scanning --> Tools** section).
+7. Ensure that **Copilot Autofix** is enabled (in the **Code Scanning --> Tools** section).
 
 <details>
   ![image](images/lab-1-2-3.png)
@@ -68,7 +75,7 @@ Although Dependabot isn't part of the GitHub Advanced Security product suite, it
 > [!NOTE]  
 > You don't need a Copilot license in order to use the Copilot features with GitHub Advanced Security. However, Copilot can certainly be helpful in resolving issues in your IDE by using Copilot chat to explain the vulnerability and how to fix it.
 
-6. Optionally, configure the **Check runs failure threshold** - by default, a pull request will be blocked if there are any high or higher security alerts.
+8. Optionally, configure the **Check runs failure threshold** - by default, a pull request will be blocked if there are any high or higher security alerts.
 
 ### Exercise 3: Enable Secret Scanning
 
@@ -80,6 +87,7 @@ Although Dependabot isn't part of the GitHub Advanced Security product suite, it
 6. Optionally, configure **Who can bypass push protection for secret scanning**.
     - By default, as to not interrupt developers' workflows, anyone with write access to the repository can manually bypass a blocked push that contains secrets (administrators will be notified of this, and it is also captured in the audit logs).
     - In Private and internal repositories in organizations using GitHub Enterprise Cloud with GitHub Advanced Security enabled, you can change this to only allow select users/teams (or no one) to bypass secret scanning push protection.
+7. Note that you can define your own **Custom patterns** from this page to scan for secrets that don't correspond to a known provider pattern.
 
 <details>
   ![image](images/lab-1-3-1.png)

_labs/lab2.md

@@ -143,31 +143,36 @@ Now that we have all of the security feature enabled, let's review the security
 
 ## Exercise 3: Reviewing Secret Scanning alerts
 
-1. Since this is a brand new fork of a public repo, you will not have any secrets detected.  The next few steps we will review what you would see if we had any secrets detected (optional steps in Lab 5.)
-
-2. Under the **Security** tab in the repo, click on the **Secret scanning** view. This will show all of the secret scanning alerts. (This should be empty for you.)
-
-<details>
-  ![image](images/lab-2-3-1.png)
-</details>
-
-3. Viewing a secret scanning alert shows details about the leak
+1. Under the **Security** tab in the repo, click on the **Secret scanning** --> **Default** option. This will show all of the default secret scanning alerts.
+2. You should see a number of alerts. For example, there should be a **GitHub Personal Access token alert**. Click it.
     - This page shows where in the code the secret was discovered (if there were multiple locations, it would list them all).
     - If a secret is found in the code, we would want to revoke manually in the designated service.
     - It's recommended to revoke the secret instead of rewriting history because the secret was exposed and you don't know who may have seen it.
     - If you re-write history, the secret will still be valid and could be used by an attacker. Also, re-writing history modifies commit hashes and can make traceability more difficult.
 
 <details>
-  ![image](images/lab-2-3-4.png)
+  ![image](images/lab-2-3-1.png)
 </details>
 
-4. If you view an alert and choose **Verify secret** and this time, it says **secret inactive**. This is a good candidate to **Close as** --> **Revoked**.
+3. You can click on **Verify secret**. It will say it's not currently valid on `github.com`, but that doesn't mean it doesn't come from another GitHub instance (such as GitHub Enterprise Server).
+4. Go back to list of secret scanning alerts. Click on the **Google API key** alert.
+5. Click on **Verify secret** again. This time, it should say **secret inactive**. This is a good candidate to **Close as** --> **Revoked** (click the **Close as** button in the upper right to do so). Do this.
     - Unlike Dependabot alerts and Code Scanning alerts, secret scanning alerts are not automatically closed when the secret is removed from the code - whether by a new commit or by re-writing history. This is because the secret was exposed and you don't know who may have seen it. So, you have to manually close the alert once you revoke the token.
+6. Navigate back to the **Default** secret alerts list.
+7. We can click **1 Closed** to see the alert we just closed.
 
 <details>
   ![image](images/lab-2-3-2.png)
 </details>
 
+8. Click on the **Experimental** secret scanning alerts option. This will show all of the alerts that are not high confidence, such as generic passwords, keys, and things such as HTTP bearer authentication header tokens found in the code.
+9. Let's click into one of the **Password** alerts.
+
+<details>
+  ![image](images/lab-2-3-3.png)
+</details>
+
+10. Just like high confidence secret scanning alerts, it shows where the secret was found in the code. The secret was found with AI, so it may or may not be a real secret or password. If it's not, we can close it manually and mark it as a false positive.
 
 ## Summary
 

_labs/lab6.md

@@ -0,0 +1,48 @@
+# Lab 6 - Hands-on with Security Overview
+
+We've covered how to review alerts in a single repository, but how is your org or team doing? Next, we'll check out the Security Overview at the organizational level to see how we can get a high-level view of the security posture of our organization.
+
+This lab covers parts of the following exam domains:
+
+- Domain 6: Describe GitHub Advanced Security best practices
+
+## Exercise 1: Navigating to Security Overview
+
+The Security Overview can be used by anyone inside of an organization; it shows repositories that **you** have access to. If you are an org owner or a security manager, you would see all alerts. If you are a regular org member, you would only see alerts for repositories by default that you have write access to.
+
+> [!NOTE]
+> Security alerts for a repository are visible to people with write, maintain, or admin access to the repository and, when the repository is owned by an organization, organization owners. You can give additional teams and people access to the alerts.
+1. Navigate to the organization. You can do so by **clicking on the org name** (`Ignite24-Labs`) in the repository breadcrumbs in the upper left hand corner.
+    - You can also navigate to your orgs by clicking on your profile picture and "**Your organizations**"
+2. Click on the **Security** tab.
+3. Review (and click on!) the different views on the left-hand side:
+    - Overview: visualize trends in Detection, Remediation, and Prevention of security alerts ([docs](https://docs.github.com/en/enterprise-cloud@latest/code-security/security-overview/viewing-security-insights#about-security-insights))
+    - Risk: explore the risk from security alerts of all types or focus on a single alert type and identify your risk from specific vulnerable dependencies, code weaknesses, or leaked secrets ([docs](https://docs.github.com/en/enterprise-cloud@latest/code-security/security-overview/assessing-code-security-risk))
+    - Coverage: assess the adoption of code security features across repositories in the organization ([docs](https://docs.github.com/en/enterprise-cloud@latest/code-security/security-overview/assessing-adoption-code-security))
+    - Enablement trends: see how quickly different teams are adopting security features
+    - CodeQL pull request alerts: assess the impact of running CodeQL on pull requests and how development teams are resolving code scanning alerts ([docs](https://docs.github.com/en/enterprise-cloud@latest/code-security/security-overview/viewing-metrics-for-pull-request-alerts))
+    - Secret scanning: find out which types of secret are blocked by push protection and which teams are bypassing push protection ([docs](https://docs.github.com/en/enterprise-cloud@latest/code-security/security-overview/viewing-metrics-for-secret-scanning-push-protection))
+
+> [!TIP]
+> You can export a CSV of nearly from most of these views using the **Export CSV** button in the upper right.
+4. Under the **Overview** view, navigate the sub-views, specifically **Detection** and **Remediation**.
+    - Note the trends - this is useful information to evaluate the security posture of your organization. Are we getting better over time?
+    - Being secure requires "constant vigilance"
+5. Navigate to the **Risk** view.
+6. On the right-hand side, click the **Teams ▾** button/dropdown.
+7. Click on the **all users** team - this team is only added to a different sample repo, so note how the total alerts changes.
+    - This can be really useful for a manager, architect, or developer to see which repositories assigned to the teams have security features enabled and how many alerts they are generating.
+8. At the bottom of the options on the left, you will see **Security Campaigns**.
+    - Security campaigns are a new feature designed to help administrators and security managers create targeted campaigns and track remediation progress effectively.
+9. ⚠️ Please don't create a new security campaign as to not introduce noise to your fellow attendees ⚠️, but click on the existing campaign here (**SQL injection (CWE-89)**) to check it out!
+    - How are we doing on our goal?
+
+## Summary
+
+That's the security overview! Use these views to monitor and manage your security posture effectively. By leveraging the detailed insights provided in each section, you can identify potential threats, take proactive measures, and ensure your systems remain secure.
+
+If you want to learn more about the security overview or about what a particular view shows, check out the [docs](https://docs.github.com/en/enterprise-cloud@latest/code-security/security-overview/about-security-overview)!
+
+Congrats, you have finished all of the main labs! 🎉 If you have time or are up for a challenge, try out the extra credit labs!
+
+➡️ Head back to the [labs](README.md) page to try your hand at the extra credit labs.

_labs/lab6-ec.md _labs/lab7-ec.md_labs/lab6-ec.md renamed to _labs/lab7-ec.md

@@ -0,0 +1,23 @@
+# Extra Credit - Lab 8 - Custom Patterns for Secret Scanning
+
+We are just using the out of the box secret scanning settings. Perhaps you are interested in finding other patterns, such as credit card patterns, committed in the code.
+
+
+## Exercise
+
+Your assignment here is to implement a secret scanning custom pattern. You can start under the **Settings** --> **Code Security and Analysis** page.
+
+If you are looking for an example of what to search for, we suggest creating a pattern for finding a credit card! A developer may or may not have accidentally committed customer credit card numbers to the repository and we need to alert on this.
+
+Create a pattern, run a dry-run, and hopefully you find the pattern! If so, save the custom secret scanning pattern to implement.
+
+
+> [!TIP]
+> AI can help you get started generating those pesky regular expressions using natural language.  Look for the **Generate with AI** button in the top right corner.
+> For increased precision, you can check out [examples for custom patterns for secret scanning](https://github.com/advanced-security/secret-scanning-custom-patterns/tree/main?tab=readme-ov-file#personally-identifiable-information-pii), including a credit card example (under PII), in the [advanced-security/secret-scanning-custom-patterns](https://github.com/advanced-security/secret-scanning-custom-patterns/tree/main?tab=readme-ov-file#personally-identifiable-information-pii) repo!
+
+## Summary
+
+In this lab, you should have identified the credit card number that was accidentally committed. Custom secret scanning patterns offer an excellent way to implement additional scanning patterns that are crucial for your organization!
+
+➡️ Head back to the [labs](README.md) page.