tuning secrets scanning docs and examples

austimkelly · Jan 11, 2024 · 9bccec1 · 9bccec1
1 parent 8af27f2
commit 9bccec1
Show file tree

Hide file tree

Showing 5 changed files with 8 additions and 521 deletions.
diff --git a/.gitignore b/.gitignore
@@ -127,7 +127,7 @@ celerybeat.pid
 *.sage.py
 
 # Environments
-#.env
+.env
 .venv
 env/
 venv/

diff --git a/doc/ghas-checklist.md b/doc/ghas-checklist.md
@@ -2,11 +2,13 @@
 
 * [ ] Enable Secrets Scanning - See [Configure secrets scan](https://docs.github.com/en/enterprise-cloud@latest/code-security/secret-scanning/configuring-secret-scanning-for-your-repositories)
 * [ ] Enabled Secrets Push Protection - See [Push protection for repositories](https://docs.github.com/en/enterprise-cloud@latest/code-security/secret-scanning/push-protection-for-repositories-and-organizations)
+* [ ] Understand the scanning patterns and limitations of secrets scanning and push protection -  See [Push protection limitations](https://docs.github.com/en/enterprise-cloud@latest/code-security/secret-scanning/troubleshooting-secret-scanning#push-protection-limitations) and [Secret scanning patterns](https://docs.github.com/en/code-security/secret-scanning/secret-scanning-patterns)
 * [ ] Find & manage secret alerts - See [Manage secret alerts](https://docs.github.com/en/enterprise-cloud@latest/code-security/secret-scanning/managing-alerts-from-secret-scanning)
 * [ ] Try to push a secret with push protection enabled - See [Using secret as a push protection on the command line](https://docs.github.com/en/enterprise-cloud@latest/code-security/secret-scanning/push-protection-for-repositories-and-organizations#using-secret-scanning-as-a-push-protection-from-the-command-line)
-* [ ] Create a custom secret scanning pattern - [See Define Custom Patterns](https://docs.github.com/en/enterprise-cloud@latest/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning)
+* [ ] Create a custom secret scanning pattern - [See Define Custom Patterns](https://docs.github.com/en/enterprise-cloud@latest/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning). This requires an enterprise license.
 * [ ] Create an exclude pattern for files and folders - See [Excluding directories from secrets scanning alerts for users](https://docs.github.com/en/enterprise-cloud@latest/code-security/secret-scanning/configuring-secret-scanning-for-your-repositories#excluding-directories-from-secret-scanning-alerts-for-users)
 
+
 # Dependabot alerts checklist
 
 * [ ] Enable Dependabot alerts - See [Configuring Dependabot Alerts](https://docs.github.com/en/enterprise-cloud@latest/code-security/dependabot/dependabot-alerts/configuring-dependabot-alerts)

diff --git a/doc/ghas-exercises.md b/doc/ghas-exercises.md
@@ -22,7 +22,7 @@ If you fork this repository in a public account, you will have access to all the
 
 # Set-up
 
-1. Fork this repository to your own account.
+1. Fork this repository to your own account. **NOTE** Make sure for fork this to your own account and not one part of an enterprise org. Forking to an enterprise org may cause unnecessary security alerts depending on how they are monitored.
 2. Navigate to `https[X]://github.com/{your account id}/swiss-cheese/settings/security_analysis`. You will see the unset security settings:
 
 ![GHAS Settings](./img/empty_security_settings.png)

diff --git a/secrets/.env b/secrets/.env
@@ -28,4 +28,6 @@ SLACK_WORKFLOW_WEBHOOK_URL=https://hooks.slack.com/services/T00000000/B00000000/
 SQUARE_ACCESS_TOKEN=sq0atp-XXXXXXXXXXXXXXXXXXXXXXXXX
 
 # CloudBees CodeShip
-CODESHIP_CREDENTIAL=cs_1234567890abcdef
+CODESHIP_CREDENTIAL=cs_1234567890abcdef
+
+octocat_token_1234567890abcde
-Original file line number
+Diff line change
@@ Expand Up / @@ -127,7 +127,7 @@ celerybeat.pid @@
     *.sage.py
     # Environments
-    #.env
+    .env
     .venv
     env/
     venv/
@@ Expand Down @@