diff --git a/labs/azuredevops/codescan/readme.md b/labs/azuredevops/codescan/readme.md
new file mode 100644
index 0000000000..970789eaac
--- /dev/null
+++ b/labs/azuredevops/codescan/readme.md
@@ -0,0 +1,300 @@
+---
+title: Code Scanning with Azure DevOps
+layout: page
+sidebar: vsts
+permalink: /labs/azuredevops/codescan/
+folder: /labs/azuredevops/codescan/
+version: Lab version - 1.37.1
+updated: Last updated - 22/07/2024
+---
+
+
+
+
+## Prerequisites ##
+In this exercise, you will set up the **Tailwind Traders** project in Azure DevOps to explore the features on GitHub Advanced Security for Azure DevOps (GHAzDO). Complete the following steps to set up the Tailwind Traders project in Azure DevOps from [prerequisites](../prereq-ghas/readme.md).
+
+
+## Getting Started
+
+If you followed **Module 0 - Setup and Automation** you will have already enabled **_GitHub Advanced Security for Azure DevOps_**, **_Secret Scanning_**, and **_Push Protection_** at the repository level.
+
+Once this is enabled, navigate to https://dev.azure.com/mstechbootcamp/, select your team project **tp-<**yourgithubhandle**>**, and select the **TailwindTraders** repository to begin working through this module.
+
+------
+## Contents
+
+- [Lab 1: Setting up Code Scanning](#lab-1-setting-up-code-scanning)
+- [Lab 2: Review Code Scanning Alerts](#lab-2-review-code-scanning-alerts-gain-insights)
+- [Lab 3: Resolution of Code Scanning Alerts](#lab-3-resolution-of-code-scanning-alerts-fix-leak)
+
+------
+
+## Lab 1: Setting up code scanning
+Code scanning is a pipeline-based scanning tool and aggregated per repository. Add the code scanning task following the build steps of a pipeline that builds the code you want to scan.
+
+1. Click on **Pipelines**, then click on **tailwindtraders-codescanning.yml**, and click **Edit** to enable code scanning.
+
+2. Add the tasks in the following order directly to your YAML pipeline file:
+ - Advanced Security Initialize CodeQL
+ - Advanced Security AutoBuild (language-dependent)
+ - Advanced Security Perform CodeQL Analysis
+ - Advanced Security Publish Results
+
+ ```yaml
+ - task: AdvancedSecurity-Codeql-Init@1
+ - task: AdvancedSecurity-Codeql-Autobuild@1
+ - task: AdvancedSecurity-Codeql-Analyze@1
+ - task: AdvancedSecurity-Codeql-Publish@1
+ ```
+
+
+Solution
+
+```yaml
+
+trigger:
+- main
+
+variables:
+ resource-group: "ghazdo-workshops"
+ BuildConfiguration: "Release"
+ BuildPlatform: "any cpu"
+ Parameters.RestoreBuildProjects: "**/*.csproj"
+ Parameters.TestProjects: "**/*[Tt]ests/*.csproj"
+ webapp_name: tailwind-github-demo
+ advancedsecurity.submittoadvancedsecurity: true
+
+pool:
+ vmImage: windows-latest
+
+stages:
+- stage: 'AdvancedSecurityScan'
+ displayName: 'Advanced Security'
+ jobs:
+ - job:
+ displayName: 'Advanced Security Scanning'
+ steps:
+
+ # Setup Node.js environment
+ - task: NodeTool@0
+ displayName: 'Use Node 10.16.3'
+ inputs:
+ versionSpec: 10.16.3
+
+ # Initializes the CodeQL tools for scanning.
+ - task: AdvancedSecurity-Codeql-Init@1
+ inputs:
+ languages: 'csharp, javascript'
+
+ # Autobuild attempts to build any compiled languages (C/C++, C#, or Java).
+ - task: AdvancedSecurity-Codeql-Autobuild@1
+
+ # Performs CodeQL Analysis
+ - task: AdvancedSecurity-Codeql-Analyze@1
+
+ # Publish Results to Advance Security Dashboard
+ - task: AdvancedSecurity-Publish@1
+
+```
+
+
+
+3. Click **Save** to save the pipeline configuration file.
+
+4. The build will automatically run the build, Code Scanning task and publish the results to Advanced Security. this might take up to 5 minutes to complete.
+
+ 
+
+> **ProTip!** Always use a separate pipeline, not the main build pipeline. Code Scanning can be a time-intensive build task.
+
+## Lab 2: Review Code Scanning Alerts (Gain Insights)
+GitHub experts, security researchers, and community contributors write and maintain the default CodeQL queries used for code scanning. The queries are regularly updated to improve analysis and reduce any false positive results. You can also write your own queries to customize your code scanning experience.
+
+1. You can view the specific queries and task details used by CodeQL by looking through the build log, similar to dependency scanning.
+
+2. Click on **Pipelines**, then click on **tailwindtraders-codescanning.yml**, click the last run.
+
+3. Under **Jobs**, click on **Advanced Security Scanning** to view logs.
+
+4. Click on **AdvancedSecurityCodeqlInit** step to view details.
+
+ 
+
+### Alerts Review
+Code scanning alerts include code scanning flags by repository that alert of code-level application vulnerabilities.
+
+1. Go to the **Repos** tab and click on the **Advanced Security** menu item on the bottom.
+2. Click on **Code scanning** to see a list of all the code scanning alerts that have been found. This includes the **Alert** and **First detected** date.
+
+ 
+
+### Alerts Details
+Select an alert for more details, including remediation guidance. Each alert includes a location, description, example, and severity. You can also view the code that triggered the alert.
+
+1. Click on **_Clear-text logging of sensitive information_** to see more details about the alert and what you can do to clean up the alert.
+
+2. Notice this includes the **Recommendation**, **Locations** found, **Remediation Steps**, **Severity**, and the **Date** it was first intruduced. We can easily clean this up and dismiss the alert.
+
+3. Click on the **Locations** to see the code that triggered the alert, line **805**.
+
+ 
+
+```csharp
+console.log(chalk.white(JSON.stringify(profile, null, 2)));
+```
+
+### Dismissing Alert
+Code scanning you may encounter errors in the history of code scanning results. Resolving errors in the history typically involves investigating the specific errors reported and taking appropriate actions to address them. You can follow these steps to dismiss the alert.
+
+2. Click the browser **Back** button to return to the **_Clear-text logging of sensitive information_** alert to see how we easily dismiss it.
+
+3. Click on **Close alert** to dismiss the alert, and select **Risk Accepted**, then click **Close**.
+
+ 
+
+ > Note: This only dismisses the alert for your selected branch. Other branches that contain the same vulnerability stay active until dismissed.
+
+4. Let's run the **tailwindtraders-codescanning** build to scan the repo again. Click on **Pipelines**, click **tailwindtraders-codescanning**, the click **Run Pipeline**.
+
+5. Once the build completes, go to the **Azure DevOps Advanced Security dashboard** and click on **Code scanning**.
+
+6. You will see that the alert **_Clear-text logging of sensitive information_** no longer exists, as it is now revoked.
+
+## Lab 3: Resolution of Code Scanning Alerts (Fix Leak)
+GitHub Advanced Security for Azure DevOps code scanning alerts include code scanning flags by repository that alert of code-level application vulnerabilities. Code scanning alerts are aggregated per repository and are available in the Advanced Security tab under Repos.
+
+### Reviewing Alerts
+1. Go to the **Repos** tab and click on the **Advanced Security** menu item on the bottom.
+2. Click on **Code scanning** to see a list of all alerts that have been found. This includes the **Alert** and **First detected** date.
+
+ 
+
+3. Click on **_SQL query built from user-controlled sources_** to see more details about the alert and what you can do to clean up the secret.
+
+2. Notice this includes the **Recommendation**, **Locations** found, **Remediation Steps**, **Severity**, and the **Date** it was first intruduced. Following the steps can resolve the alert, allowing it to be dismissed.
+
+ 
+
+5. Review the **Recommendation**, **Example**, and **Locations** to understand the issue and how to resolve it.
+
+**ProTip!** By parameterizing the query and using placeholders, this adapted code helps prevent SQL injection by treating the values as parameters rather than directly concatenating them into the query.
+
+### Resolving Alerts
+1. This is simple to fix using the method **use parameters with dynamic SQL** described in the **Remediation steps**.
+
+ > Note: SQL injection is consistently ranked among the top vulnerabilities in web applications. It is considered a high-priority issue due to its potential to cause significant damage and compromise the security of an application and its underlying data.
+
+2. Click on **Locations found** to see the code that triggered the alert.
+
+ 
+
+3. Click on the **Edit** button to edit the file. Replace line **17** with the following code:
+
+ ```csharp
+ string query = "SELECT * FROM Users WHERE Username = @username AND Password = @password";
+ ```
+
+4. Add the following two lines of code right after line **21**:
+
+ ```csharp
+ command.Parameters.AddWithValue("@username", username);
+ command.Parameters.AddWithValue("@password", password);
+ ```
+
+
+Solution
+
+```csharp
+ public bool AuthenticateUser(string username, string password)
+ {
+ string query = "SELECT * FROM Users WHERE Username = @username AND Password = @password";
+
+ using (SqlConnection connection = new SqlConnection(_connectionString))
+ {
+ SqlCommand command = new SqlCommand(query, connection);
+ command.Parameters.AddWithValue("@username", username);
+ command.Parameters.AddWithValue("@password", password);
+
+ try
+ {
+ connection.Open();
+ SqlDataReader reader = command.ExecuteReader();
+
+ if (reader.HasRows)
+ {
+ reader.Close();
+ return true;
+ }
+
+ reader.Close();
+ return false;
+ }
+ catch (Exception ex)
+ {
+ Console.WriteLine("Error: " + ex.Message);
+ return false;
+ }
+ }
+ }
+
+```
+
+
+
+5. Click **Commit** to save changes. Enter **SqlInjectionFix** for branch name and check **Create a pull request**, then click **Commit** again.
+
+ > Note: This step is necessary since the main branch is protected by a pull request pipeline.
+
+ 
+
+6. Click **Create** on the New pull request page to merge the changes into the main branch.
+
+ 
+
+7. This will run the **tailwindtraders-pullrequests** pipeline and validate the changes.
+
+8. Once the pipeline has completed, click **Approve** and **Complete**
+
+9. Change **Merge Type** to **Squash commit** and check box **Delete SqlInjectionFix after merging**, to merge changes into the main branch.
+
+ 
+
+ > Note: The build will run automatically, initiating the code scanning task and publishing the results to Advanced Security.
+
+### Dismissing Alert
+Code scanning you may encounter errors in the history of code scanning results. Resolving errors in the history typically involves investigating the specific errors reported and taking appropriate actions to address them. You can follow these steps to dismiss the alert.
+
+1. Once the pipeline **tailwindtraders-build.yml** and **tailwindtraders-codescanning** have completed, go to the **Azure DevOps Advanced Security dashboard** and click on **Code scanning**.
+
+ > Note: The build will run automatically, initiating the secret scanning task, publish the results to Advanced Security, and alert will automatically closed. However, the exposed issue will still be in the history and must be dismissed.
+
+2. Click on the following item, **_SQL query built from user-controlled sources_** to see the alert and how we easily dismiss it.
+
+3. Click on **Close alert** to dismiss the alert, and select **Revoked**, then click **Close**.
+
+ 
+
+ > Note: Once the code is merged into main, GHAzDO starts off a background scan of this repo and looks for exposed credentials. The scan doesn't just look at tip of main either, since attackers would look through all the branches and entire commit history.
+
+5. Go to the **Azure DevOps Advanced Security dashboard** and click on **Code scanning**, you will see a list of all the exposed Secrets alerts that have been found.
+
+6. You will see that the alert **_SQL query built from user-controlled sources_** no longer exists, as it is now revoked.
+
+**ProTip!** Anyone with contributor permissions for a repository can view a summary of all alerts for a repository but only project administrators can dismiss Advanced Security alerts.
+
+>Note: Code Scanning queries are open source, so you can view and contribute to the queries in the https://github.com/github/codeql repository.
+
+## Congratulations you've made it to the end! 🎉
+
+### References
+
+- [GitHub Advanced Security for Azure DevOps, Code Scanning](https://learn.microsoft.com/en-us/azure/devops/repos/security/configure-github-advanced-security-features?view=azure-devops&tabs=yaml#set-up-code-scanning)
+
+- [CodeQL query help for C#](https://codeql.github.com/codeql-query-help/csharp/)
+
+- [Browsing security advisories in the GitHub Advisory Database](https://docs.github.com/en/code-security/security-advisories/global-security-advisories/browsing-security-advisories-in-the-github-advisory-database)
+
+- [Open source repository containing the standard CodeQL libraries and queries](https://github.com/github/codeql)
+
+- [Azure DevOps - Extra Setting up self-hosted agents](https://learn.microsoft.com/en-us/azure/devops/repos/security/configure-github-advanced-security-features?view=azure-devops&tabs=yaml#set-up-code-scanning)
\ No newline at end of file
diff --git a/labs/azuredevops/continuousintegration/images/002-01.png b/labs/azuredevops/continuousintegration/images/002-01.png
new file mode 100644
index 0000000000..7b50751c9b
Binary files /dev/null and b/labs/azuredevops/continuousintegration/images/002-01.png differ
diff --git a/labs/azuredevops/continuousintegration/images/002-02.png b/labs/azuredevops/continuousintegration/images/002-02.png
new file mode 100644
index 0000000000..5c41d6a5ae
Binary files /dev/null and b/labs/azuredevops/continuousintegration/images/002-02.png differ
diff --git a/labs/azuredevops/continuousintegration/images/002-03.png b/labs/azuredevops/continuousintegration/images/002-03.png
new file mode 100644
index 0000000000..6b3234ba5a
Binary files /dev/null and b/labs/azuredevops/continuousintegration/images/002-03.png differ
diff --git a/labs/azuredevops/continuousintegration/images/002-04.png b/labs/azuredevops/continuousintegration/images/002-04.png
new file mode 100644
index 0000000000..f1dc56a904
Binary files /dev/null and b/labs/azuredevops/continuousintegration/images/002-04.png differ
diff --git a/labs/azuredevops/continuousintegration/images/002.png b/labs/azuredevops/continuousintegration/images/002.png
index 6978d42045..67cd3fe2df 100644
Binary files a/labs/azuredevops/continuousintegration/images/002.png and b/labs/azuredevops/continuousintegration/images/002.png differ
diff --git a/labs/azuredevops/continuousintegration/images/014.png b/labs/azuredevops/continuousintegration/images/014.png
index c080edd955..d54849dc9a 100644
Binary files a/labs/azuredevops/continuousintegration/images/014.png and b/labs/azuredevops/continuousintegration/images/014.png differ
diff --git a/labs/azuredevops/continuousintegration/images/015.png b/labs/azuredevops/continuousintegration/images/015.png
index 498c046400..71e1b9f4b7 100644
Binary files a/labs/azuredevops/continuousintegration/images/015.png and b/labs/azuredevops/continuousintegration/images/015.png differ
diff --git a/labs/azuredevops/continuousintegration/images/016-00.png b/labs/azuredevops/continuousintegration/images/016-00.png
new file mode 100644
index 0000000000..edf5411bfa
Binary files /dev/null and b/labs/azuredevops/continuousintegration/images/016-00.png differ
diff --git a/labs/azuredevops/continuousintegration/images/016-01.png b/labs/azuredevops/continuousintegration/images/016-01.png
new file mode 100644
index 0000000000..a151266452
Binary files /dev/null and b/labs/azuredevops/continuousintegration/images/016-01.png differ
diff --git a/labs/azuredevops/continuousintegration/images/019.png b/labs/azuredevops/continuousintegration/images/019.png
index f01d373253..cd9931cb31 100644
Binary files a/labs/azuredevops/continuousintegration/images/019.png and b/labs/azuredevops/continuousintegration/images/019.png differ
diff --git a/labs/azuredevops/continuousintegration/images/027.png b/labs/azuredevops/continuousintegration/images/027.png
index c10417d3a9..20eb131528 100644
Binary files a/labs/azuredevops/continuousintegration/images/027.png and b/labs/azuredevops/continuousintegration/images/027.png differ
diff --git a/labs/azuredevops/continuousintegration/images/disable-ci.png b/labs/azuredevops/continuousintegration/images/disable-ci.png
index 11bcab9c1d..7fe782ee38 100644
Binary files a/labs/azuredevops/continuousintegration/images/disable-ci.png and b/labs/azuredevops/continuousintegration/images/disable-ci.png differ
diff --git a/labs/azuredevops/continuousintegration/images/edit-pipeline.png b/labs/azuredevops/continuousintegration/images/edit-pipeline.png
index 375a95ff1a..3f304b2454 100644
Binary files a/labs/azuredevops/continuousintegration/images/edit-pipeline.png and b/labs/azuredevops/continuousintegration/images/edit-pipeline.png differ
diff --git a/labs/azuredevops/continuousintegration/images/edit-triggers.png b/labs/azuredevops/continuousintegration/images/edit-triggers.png
new file mode 100644
index 0000000000..90b18ec447
Binary files /dev/null and b/labs/azuredevops/continuousintegration/images/edit-triggers.png differ
diff --git a/labs/azuredevops/continuousintegration/readme.md b/labs/azuredevops/continuousintegration/readme.md
index 04f36360e0..8fb3ea8536 100644
--- a/labs/azuredevops/continuousintegration/readme.md
+++ b/labs/azuredevops/continuousintegration/readme.md
@@ -5,7 +5,7 @@ sidebar: vsts
permalink: /labs/azuredevops/continuousintegration/
folder: /labs/azuredevops/continuousintegration/
version: Lab version - 1.37.1
-updated: Last updated - 05/11/2020
+updated: Last updated - 22/04/2024
redirect_from: "/labs/vsts/continuousintegration/index.htm"
---
@@ -37,11 +37,13 @@ In this lab, you will learn how to configure continuous integration (CI) and con
-1. Open (click) the existing **PartsUnlimitedE2E** pipeline (which was created by the demo generator tool) and click on **Edit**
+1. Open (click) the existing **PartsUnlimited** pipeline (which was created by the demo generator tool) and click on **Edit**
-1. Not to have two pipelines triggered later in the lab, disable the CI trigger for the template created pipeline (uncheck) and **Save**.
+1. Not to have two pipelines triggered later in the lab, disable the CI trigger for the template created, by navigating to the triggeres section of the pipeline, enable the checkbox to override the current trigger option and **Save**.
+
+ 
@@ -49,46 +51,31 @@ In this lab, you will learn how to configure continuous integration (CI) and con
-1. The default option for build pipelines involves using YAML to define the process. If you are interested in that, please check out that lab. For this lab, click **use the classic editor**.
+1. The default option for build pipelines involves using YAML to define the process.
-1. The first thing you'll need to do is to configure the source repository. Every major platform is available, but the default options are all we need here. This build will use the **master** branch of the **PartsUnlimited** repo. Leave the defaults and click **Continue**.
-
- 
-
-1. Locate the **ASP.NET** template and click **Apply** to apply this template to the build definition. Note that there are many options that should cover all of our mainstream scenarios. For our purposes here, we'll just build the project using the baseline ASP.NET template.
-
- 
-
-1. The process for this build pipeline is easy to follow. After getting the source, Azure DevOps will use NuGet to restore any dependent packages. Then, the project will be built and tested. The results will then be published to the configured target.
-
- 
-
-1. Select the **Variables** tab. Here you can configure special parameters to be used during the build, such as the configuration or platform.
+1. The first thing you'll need to do is to configure the source repository. Every major platform is available, but the default options are all we need here. This build will use the **master** branch of the **PartsUnlimited** repo.
- 
+ 
-1. Select the **Triggers** tab. These triggers enable you to automatically invoke builds on a schedule, when another build completes, or when changes are made to the source. Check **Enable continuous integration** so that this build will get invoked whenever source changes are committed.
+1. Configure the pipeline with the existing YAML file. Click **Existing Azure Pipelines YAML file**.
- 
+ 
-1. Select the **Options** tab. This section includes a wide variety of options related to the build workflow. Note that you'll generally configure options for specific build tasks on the configuration views of the tasks themselves.
+1. Choose the YAML file path from the **master** branch of the PartsUnlimited repo. Click **Continue**.
- 
+ 
+1. Review the YAML file and click **Save** or **Run** the pipeline.
-1. Select the **History** tab. There's nothing here yet, but it will show a history of changes you make to the build definition.
+ 
- 
-1. Select **Save & Queue \| Save & Queue** to save and queue a new build.
+ > **Note:** The YAML file contains the deployment script, which helps to deploy the application to Azure App Service. This needs to be updated with the correct Azure Subscription and App Service Name. This will be converd in the next lab.
- 
+1. Continious Integration trigger will be enabled for the pipeline, click on **Run** to trigger the build. Refer to the document for more details on [YAML Pipeline Triggers](https://learn.microsoft.com/en-us/azure/devops/pipelines/build/triggers?view=azure-devops#branch-consideration-for-triggers-in-yaml-pipelines).
-1. Accept the default options by clicking **Save and run**.
-
- 
### Task 2: Tracking and reviewing a build ###
@@ -102,19 +89,13 @@ In this lab, you will learn how to configure continuous integration (CI) and con
1. If you want to review an earlier task, you can scroll the right pane to review its logs.
-
- 
-
+ 
1. The build should eventually succeed. You can return to the summary view by clicking the back button.
- 
+ 
1. The summary view provides overview details about the build, including details about commits, tests, and artifacts.
- 
-
-1. Select the **Tests** tab to review test performance for this build. Note that you also have easy access to the pipeline editor, the ability to queue a new build, and download the artifacts of this build.
-
@@ -144,11 +125,10 @@ In this lab, you will learn how to configure continuous integration (CI) and con
-1. You should now see that a new build (note the **.2**) is in progress and that it was triggered by your change. Click the build to track it. Note that it may be queued behind another build pipeline configured for continuous integration.
-
- 
-1. This build should run and succeed just like the previous build.
+1. This build should run and succeed just like the previous build, and waiting for permission to continue with the next stages to deploy the application.
+
+Follow the instructions in the next exercise to deploy the application to Azure App Service using Continuous Deployment with Azure Pipelines.
\ No newline at end of file
diff --git a/labs/azuredevops/dependencyscan/images/000.png b/labs/azuredevops/dependencyscan/images/000.png
new file mode 100644
index 0000000000..7e32bfa0a6
Binary files /dev/null and b/labs/azuredevops/dependencyscan/images/000.png differ
diff --git a/labs/azuredevops/dependencyscan/images/001.png b/labs/azuredevops/dependencyscan/images/001.png
new file mode 100644
index 0000000000..0d9fc57a3d
Binary files /dev/null and b/labs/azuredevops/dependencyscan/images/001.png differ
diff --git a/labs/azuredevops/dependencyscan/images/002.png b/labs/azuredevops/dependencyscan/images/002.png
new file mode 100644
index 0000000000..5ed0efa2d7
Binary files /dev/null and b/labs/azuredevops/dependencyscan/images/002.png differ
diff --git a/labs/azuredevops/dependencyscan/images/003.png b/labs/azuredevops/dependencyscan/images/003.png
new file mode 100644
index 0000000000..d728043c4d
Binary files /dev/null and b/labs/azuredevops/dependencyscan/images/003.png differ
diff --git a/labs/azuredevops/dependencyscan/images/004.png b/labs/azuredevops/dependencyscan/images/004.png
new file mode 100644
index 0000000000..9e30f6a4bd
Binary files /dev/null and b/labs/azuredevops/dependencyscan/images/004.png differ
diff --git a/labs/azuredevops/dependencyscan/images/005.png b/labs/azuredevops/dependencyscan/images/005.png
new file mode 100644
index 0000000000..b67ebbcc03
Binary files /dev/null and b/labs/azuredevops/dependencyscan/images/005.png differ
diff --git a/labs/azuredevops/dependencyscan/images/006.png b/labs/azuredevops/dependencyscan/images/006.png
new file mode 100644
index 0000000000..82b46588e8
Binary files /dev/null and b/labs/azuredevops/dependencyscan/images/006.png differ
diff --git a/labs/azuredevops/dependencyscan/images/007.png b/labs/azuredevops/dependencyscan/images/007.png
new file mode 100644
index 0000000000..e82bc8c9f4
Binary files /dev/null and b/labs/azuredevops/dependencyscan/images/007.png differ
diff --git a/labs/azuredevops/dependencyscan/images/008.png b/labs/azuredevops/dependencyscan/images/008.png
new file mode 100644
index 0000000000..2dce0c801a
Binary files /dev/null and b/labs/azuredevops/dependencyscan/images/008.png differ
diff --git a/labs/azuredevops/dependencyscan/readme.md b/labs/azuredevops/dependencyscan/readme.md
new file mode 100644
index 0000000000..1bdbd274ac
--- /dev/null
+++ b/labs/azuredevops/dependencyscan/readme.md
@@ -0,0 +1,269 @@
+---
+title: Dependency Scanning with Azure DevOps
+layout: page
+sidebar: vsts
+permalink: /labs/azuredevops/dependencyscan/
+folder: /labs/azuredevops/dependencyscan/
+version: Lab version - 1.37.1
+updated: Last updated - 22/07/2024
+---
+
+
+
+
+## Prerequisites ##
+In this exercise, you will set up the **Tailwind Traders** project in Azure DevOps to explore the features on GitHub Advanced Security for Azure DevOps (GHAzDO). Complete the following steps to set up the Tailwind Traders project in Azure DevOps from [prerequisites](../prereq-ghas/readme.md).
+
+
+### Task 1: Dependency Scanning Overview ###
+
+Dependency Scanning scans your project's dependencies, such as libraries, frameworks, and packages, to identify any known security vulnerabilities or outdated versions that may pose a risk to your application.
+
+### Details about Dependency Scanning ###
+
+### About
+
+Whenever there is a change in the dependency graph of a repository and a pipeline with the dependency scanning task is executed, a new snapshot of the components is stored. The dependency scanning task analyzes the dependencies in various programming languages such as Go, Maven, npm (including Yarn and pnpm), NuGet, Pip, Ruby, and Rust. It generates security alerts based on these dependencies.
+
+### How's this work?
+
+During the execution of a pipeline with the dependency scanning task, a new snapshot of the components is stored when there is a change in the repository's dependency graph. The dependency scanning task analyzes dependencies in various programming languages and generates security alerts. The build log provides a link to each individual alert, allowing for further investigation. Additionally, the build log includes essential details about each detected vulnerability, such as severity level, affected component, vulnerability title, and associated CVE.
+
+
+
+
+
+## Setup Dependency Scanning
+
+So, now that we learned about Dependency scanning, how do we add this into our project?
+
+1. Select and Edit the pipeline you want add scanning too, ```tailwindtraders-build.yml```
+
+1. Locate the section where the build steps are defined, hint: look for - task: DotNetCoreCLI@2.
+
+1. Add the task Advanced Security Dependency Scanning **(AdvancedSecurity-Dependency-Scanning@1)** directly to your YAML pipeline file.
+
+ ```yaml
+ - task: AdvancedSecurity-Dependency-Scanning@1
+ - task: AdvancedSecurity-Publish@1
+ ```
+
+
+ Solution
+
+ ```yaml
+ trigger:
+ - main
+
+ variables:
+ resource-group: "ghazdo-workshops"
+ BuildConfiguration: "Release"
+ BuildPlatform: "any cpu"
+ Parameters.RestoreBuildProjects: "**/*.csproj"
+ Parameters.TestProjects: "**/*[Tt]ests/*.csproj"
+ webapp_name: tailwind-github-demo
+ advancedsecurity.submittoadvancedsecurity: true
+
+ pool:
+ vmImage: windows-latest
+
+ stages:
+ - stage: 'Build'
+ displayName: 'Build'
+ jobs:
+ - job:
+ displayName: 'Build on Windows'
+ steps:
+ - task: NodeTool@0
+ displayName: 'Use Node 10.16.3'
+ inputs:
+ versionSpec: 10.16.3
+
+ - task: Npm@1
+ displayName: 'npm install'
+ inputs:
+ workingDir: TailwindTraders.Website/Source/Tailwind.Traders.Web/ClientApp
+ verbose: false
+
+ - task: DotNetCoreCLI@2
+ displayName: Restore
+ inputs:
+ command: restore
+ projects: '$(Parameters.RestoreBuildProjects)'
+
+ - task: DotNetCoreCLI@2
+ displayName: Build
+ inputs:
+ projects: '$(Parameters.RestoreBuildProjects)'
+ arguments: '--configuration $(BuildConfiguration)'
+
+ - task: AdvancedSecurity-Dependency-Scanning@1
+ displayName: 'Dependency Scanning'
+
+ - task: AdvancedSecurity-Publish@1
+ displayName: 'Dependency Publish'
+
+ - task: DotNetCoreCLI@2
+ displayName: Test
+ inputs:
+ command: test
+ projects: '$(Parameters.TestProjects)'
+ arguments: '--configuration $(BuildConfiguration)'
+
+ ```
+
+
+1. Click **Save** to save the pipeline configuration file.
+
+5. The build will run automatically, initiating the dependency scanning task and publishing the results to Advanced Security. Please note that this process may take up to 10 minutes to finish.
+
+ 
+
+
+> **ProTip!**: Be sure to add the dependency scanning task following the build steps of a pipeline that builds the code you wish to scan.
+
+> Note: [For more information see **Set up dependency scanning**](https://learn.microsoft.com/en-us/azure/devops/repos/security/configure-github-advanced-security-features?view=azure-devops&tabs=yaml#set-up-dependency-scanning)
+
+
+## Resolution of Dependency Detections
+
+### Dependency Detection Overview
+- Dependency Scanning scans your project's dependencies, such as libraries, frameworks, and packages, to identify any known security vulnerabilities or outdated versions that may pose a risk to your application. This happens in the context of a build using the below task to get a thorough accurate analysis.
+
+ ```yaml
+ - Task: AdvancedSecurity-Dependency-Scanning@1
+ ```
+
+
+Details on Build Task
+
+This task is ensure all the components get resolved during the build. This is important because we want to ensure we get a thorough accurate analysis. Once it knows the exact version of the package, a code inventory is taken from build output and compared to GitHub Advisory Database. This is why we recommend running this task in the context of a build.
+
+
+
+### Dependency Scanning Detections
+1. Go to the **Repos** tab and click on the **Advanced Security** menu item on the bottom.
+2. Click on **Dependencies** to see a list of all the dependencies alerts that have been found. This includes the **Alert**, **Vulnerable package**, **First detected** date. We can easily clean up the dependencies.
+
+ 
+
+### Dependency Scanning Alert Details
+
+1. Click on the item, **_Authorization Bypass Through User-Controlled..._** to see the details about this alert.
+
+2. This includes the **Recommendation**, **Locations** found, **Description**, **Severity**, and the **Date** it was first detected. We can easily clean up the dependencies.
+
+ 
+
+3. You can also view the code that triggered the alert and what build detected it.
+
+4. Click on **Detections** to see the different builds that detected this alert.
+
+ 
+
+- **ProTip!** When a vulnerable component is no longer detected in the latest build for pipelines with the dependency scanning task, the state of the associated alert is automatically changed to Closed. To see these resolved alerts, you can use the **State filter** in the main toolbar and select **Closed**.
+
+### Understanding Dependency Alerts
+In your repository, there are two types of dependencies: **direct** and **transitive** (also known as indirect).
+- **Direct dependencies**, components in your project.
+- **Transitive dependencies**, components used by direct dependencies.
+
+
+Summary of Direct and Transitive Dependencies
+- **Direct dependencies** are components that you have explicitly included in your project.
+- **Transitive dependencies** are components that are used by your direct dependencies.
+
+It's important to note that vulnerabilities can exist in both direct and transitive dependencies. Regardless of whether the vulnerability is found in a direct or transitive dependency, your project remains vulnerable. Therefore, it's crucial to address vulnerabilities in all dependencies, regardless of their direct or indirect nature.
+
+
+### Fixing Dependency Alerts
+You can follow the reccomended steps to manually update dependencies. When a Dependency Alert is created in Azure DevOps Advanced Security, it will contain details about the vulnerability and steps you can take to resolve it.
+
+1. To view the alert, go to the **Azure DevOps Advanced Security dashboard**, scroll down and click on the alert **_MongoDB .NET/C# Driver vulnerable..._**.
+
+ 
+
+2. Review **Recommendation**, **Location**, **Description**, and **Severity** to understand the vulnerability and how to resolve it.
+
+ > Note: The reccomendation will provide you with the steps to resolve the vulnerability. For this one, simply update the driver version from **2.11.6** to **2.19.0**. to fix the vulerability.
+
+3. Click on the **Locations** to see the code that triggered the alert.
+
+ 
+
+4. From the code editor, click **Edit**.
+
+5. On **line 26**, change the **version** of the **MongoDB.Driver** package to **2.19.0**.
+
+ 
+
+6. Click **Commit** to save changes. Enter **fixalert** for branch name and check **Create a pull request**, then click **Commit** again.
+
+ 
+
+ > Note: This step is necessary since the main branch is protected by a pull request pipeline.
+
+7. Once the commit is saved, click **Create** to merge the changes into the main branch.
+
+8. This will run the **tailwindtraders-pullrequests** pipeline, which will validate the changes and run the dependency scanning task.
+
+9. Once the pipeline has completed, click **Approve** and **Complete**.
+
+10. Change Merge Type to **Squash commit** and check box next to branch name, **fixalert**, to merge changes into the main branch.
+
+ 
+
+> Note: The build will run automatically, initiating the dependency scanning task and publishing the results to Advanced Security and alert automatically closed.
+
+**ProTip!** Squash Merge is important. If we just commit, the exposed credential will still be in the history. To avoid this, fix code, use a Squash Merge, push it to repo, and you're done!
+
+11. Once the pipeline has completed, **tailwindtraders-build.yml**, go to the **Azure DevOps Advanced Security dashboard** and click on **Dependencies**.
+
+12. You will see that the alert **_MongoDB .NET/C# Driver vulnerable..._** no longer exists, as it is now closed.
+
+**ProTip!** Cleaning these up is not automatic, like GitHub Dependabot. This functionality is not in ADO today, but goodnews, the ADO team has it under active development. In the meantime, you can use the **_advsec.ps1_** PowerShell Script to accomplish this.
+
+**ProChallenge!** If time permits, setup a PR pipeline to automaticly fail if there are any dependency alerts with severity of **_Critical_**. Start by using the PowerShell Script **dependencyreview.ps1** to accomplish this.
+
+1. In the folder .azdo, look at the powershell script **depenencyreview.ps1** and the pipeline **tailwindtraders-dependencyreview**. The pipeline calls the PowerShell Script after the depenency scan runs
+
+
+Solution
+ ```yaml
+ - task: AdvancedSecurity-Dependency-Scanning@1
+ displayName: 'Dependency Scanning'
+
+ - task: AdvancedSecurity-Publish@1
+ displayName: 'Dependency Publish'
+
+ - task: PowerShell@2
+ inputs:
+ workingDirectory: '$(System.DefaultWorkingDirectory)'
+ filePath: '.azdo/dependencyreview.ps1'
+ arguments: '-isInBuild $true'
+ failOnStderr: true
+ pwsh: true
+ env:
+ SYSTEM_ACCESSTOKEN: $(System.AccessToken)
+ ```
+
+
+2. Create a new pipeline that points to the **tailwindtraders-dependencyreview**. Azure DevOps always tries to create a azure-pipelines.yml pipeline first. Complete this and try again.
+3. Make sure the pipeline triggers on every pull request.
+
+ >Note: This is a great way to ensure you are using the latest and greatest versions of your dependencies, and also, ensure you are not using any vulnerable versions.
+
+## Congratulations you've made it to the end! 🎉
+
+And with that, you've now concluded **Module 1: Software Composition Analysis**. You can now move on to your next module (in most cases that will be **Module 2: Secret Scanning**).
+
+### References
+
+- [GitHub Advanced Security for Azure DevOps, Dependency scanning](https://learn.microsoft.com/en-us/azure/devops/repos/security/github-advanced-security-dependency-scanning?view=azure-devops)
+
+- [Resolving npm packages](https://learn.microsoft.com/en-us/azure/devops/repos/security/github-advanced-security-dependency-scanning?view=azure-devops#npm)
+
+
+## Setup Code Scanning
+
+## Setup Secret Scanning
\ No newline at end of file
diff --git a/labs/azuredevops/prereq-ghas/images/000.png b/labs/azuredevops/prereq-ghas/images/000.png
new file mode 100644
index 0000000000..7e32bfa0a6
Binary files /dev/null and b/labs/azuredevops/prereq-ghas/images/000.png differ
diff --git a/labs/azuredevops/prereq-ghas/images/001.png b/labs/azuredevops/prereq-ghas/images/001.png
new file mode 100644
index 0000000000..0d9fc57a3d
Binary files /dev/null and b/labs/azuredevops/prereq-ghas/images/001.png differ
diff --git a/labs/azuredevops/prereq-ghas/images/002.png b/labs/azuredevops/prereq-ghas/images/002.png
new file mode 100644
index 0000000000..5ed0efa2d7
Binary files /dev/null and b/labs/azuredevops/prereq-ghas/images/002.png differ
diff --git a/labs/azuredevops/prereq-ghas/images/003.png b/labs/azuredevops/prereq-ghas/images/003.png
new file mode 100644
index 0000000000..d728043c4d
Binary files /dev/null and b/labs/azuredevops/prereq-ghas/images/003.png differ
diff --git a/labs/azuredevops/prereq-ghas/images/004.png b/labs/azuredevops/prereq-ghas/images/004.png
new file mode 100644
index 0000000000..9e30f6a4bd
Binary files /dev/null and b/labs/azuredevops/prereq-ghas/images/004.png differ
diff --git a/labs/azuredevops/prereq-ghas/images/005.png b/labs/azuredevops/prereq-ghas/images/005.png
new file mode 100644
index 0000000000..b67ebbcc03
Binary files /dev/null and b/labs/azuredevops/prereq-ghas/images/005.png differ
diff --git a/labs/azuredevops/prereq-ghas/images/006.png b/labs/azuredevops/prereq-ghas/images/006.png
new file mode 100644
index 0000000000..82b46588e8
Binary files /dev/null and b/labs/azuredevops/prereq-ghas/images/006.png differ
diff --git a/labs/azuredevops/prereq-ghas/images/007.png b/labs/azuredevops/prereq-ghas/images/007.png
new file mode 100644
index 0000000000..e82bc8c9f4
Binary files /dev/null and b/labs/azuredevops/prereq-ghas/images/007.png differ
diff --git a/labs/azuredevops/prereq-ghas/readme.md b/labs/azuredevops/prereq-ghas/readme.md
new file mode 100644
index 0000000000..cfd01cde63
--- /dev/null
+++ b/labs/azuredevops/prereq-ghas/readme.md
@@ -0,0 +1,110 @@
+---
+title: Using GitHub Advanced Security with Azure DevOps
+layout: page
+sidebar: vsts
+permalink: /labs/azuredevops/ghazdo/
+folder: /labs/azuredevops/ghazdo/
+version: Lab version - 1.37.1
+updated: Last updated - 22/04/2024
+---
+
+
+
+## GitHub Advanced Security ##
+
+GitHub Advanced Security for Azure DevOps brings the same secret scanning, dependency scanning and CodeQL code scanning solutions already available for GitHub users and natively integrates them into Azure DevOps to protect your Azure Repos and Pipelines. These scanning tools will natively embed automated security checks into the Azure DevOps platform, allowing developers to secure their code, secrets and supply chain without leaving their workflow.
+
+This has been designed to help familiarize you with GitHub Advanced Security (GHAS) for Azure DevOps so that you can better understand how to use it in your own repositories.
+
+
+## Overview ##
+
+GitHub Advanced Security for Azure DevOps adds GitHub Advanced Security's suite of security features to Azure Repos. These capabilities will help developers implement security earlier in the software development lifecycle to find and fix security issues before code is deployed to production. GitHub Advanced Security for Azure includes:
+
+- **Dependency Scanning** – search for known vulnerabilities in open source dependencies (direct and transitive)
+
+- **Secret Scanning - push protection** - check if code pushes include commits that expose secrets such as credentials
+
+- **Secret Scanning** repo scanning: scan your repository and look for exposed secrets that were committed accidentally
+
+- **Code Scanning** – use CodeQL static analysis engine to identify code-level application vulnerabilities such as SQL injection and authentication bypass
+
+
+
+### Prerequisites ###
+
+- An Azure DevOps account. If you don't have one, you can sign up for free [here](https://azure.microsoft.com/products/devops/).
+
+
+### Task 1: Configuring the Tailwind Traders team project ###
+
+
+1. Navigate to [https://azuredevopsdemogenerator.azurewebsites.net](https://azuredevopsdemogenerator.azurewebsites.net/). This utility site will automate the process of creating a new Azure DevOps project within your account that is prepopulated with content (work items, repos, etc.) required for the lab. For more information on the site, please see [https://learn.microsoft.com/azure/devops/demo-gen/?view=azure-devops](https://learn.microsoft.com/azure/devops/demo-gen/?view=azure-devops).
+
+1. Sign in using the Microsoft account associated with your Azure DevOps subscription.
+
+ 
+
+1. **Accept** the permission requests for accessing your subscription.
+
+1. Select your Azure DevOps organization and enter the project name **"Tailwind Traders"**. Click **Choose Template** and select Tailwind Traders, then click **Select Template**.
+
+ 
+
+1. Enter the new project name and click on **Create Project**. Wait for the process to complete.
+
+ 
+
+
+
+### Task 2: Enable the GitHub Advanced Security from portal ###
+
+ GitHub Advanced Security for Azure DevOps includes extra permissions for more levels of control around Advanced Security results and management. Be sure to adjust individual permissions for your repository. To ensure Azure DevOps Advanced Security is enabled in your organization, you can follow these steps.
+
+1. Sign in to your Azure DevOps account with appropriate permissions to access organization settings
+
+1. Navigate to the Azure DevOps organization and Team Project you want to check.
+
+1. In the lower-left corner, click on **Project settings**
+
+1. In the left-menu area under **Repos**, click **Repositories**.
+
+1. Click on the **TailwindTraders** repository.
+
+1. Click on **Settings**, then click **Advanced Security**, On to turn it on.
+
+1. Click **Begin Billing**.
+
+1. **Advanced Security** and **Push Protection** is now enabled.
+
+ 
+
+
+### Task 3: Setup Advanced Security permissions ###
+
+1. Select **Security**, under **Azure DevOps Groups**, click on **Project Administrators**.
+2. Next to **Advanced Security: manage and dismiss alerts**, click the dropdown and select **Allow**.
+3. Next to **Advanced Security: manage settings**, click the dropdown and select **Allow**.
+4. Next to **Advanced Security: view alerts**, click the dropdown and select **Allow**.
+5. If successful, a green checkmark ✅ appears next to the selected permission.
+
+ 
+
+
+### Task 4: Setup Branch Protection ###
+
+Using Branch Policies for pre-merge checks is considered a best practice for developers because it helps ensure code quality, collaboration, and a controlled workflow. Let's setup a branch policy for the **main** branch with a build validation rule.
+
+1. Click **Policies**, under **Branch Policies**, click **master**.
+
+ 
+
+2. Under **Build Validation**, click **+** to **Add new build policy**.
+
+ 
+
+3. Click the **Build pipeline** dropdown and select **TailwindTraders-PullRequest**, click **Save**.
+
+ 
+
+4. The build validation policy is now set up for the **master** branch.
diff --git a/labs/azuredevops/prereq/readme.md b/labs/azuredevops/prereq/readme.md
index 02703b7b9b..ce8ea38f09 100644
--- a/labs/azuredevops/prereq/readme.md
+++ b/labs/azuredevops/prereq/readme.md
@@ -14,7 +14,7 @@ Certain Azure DevOps labs require a preconfigured **Parts Unlimited** team proje
### Task 1: Configuring the Parts Unlimited team project ###
-1. Navigate to [https://azuredevopsdemogenerator.azurewebsites.net](https://azuredevopsdemogenerator.azurewebsites.net/). This utility site will automate the process of creating a new Azure DevOps project within your account that is prepopulated with content (work items, repos, etc.) required for the lab. For more information on the site, please see [https://docs.microsoft.com/en-us/azure/devops/demo-gen](https://docs.microsoft.com/en-us/azure/devops/demo-gen).
+1. Navigate to [https://azuredevopsdemogenerator.azurewebsites.net](https://azuredevopsdemogenerator.azurewebsites.net/). This utility site will automate the process of creating a new Azure DevOps project within your account that is prepopulated with content (work items, repos, etc.) required for the lab. For more information on the site, please see [https://learn.microsoft.com/azure/devops/demo-gen/?view=azure-devops](https://learn.microsoft.com/azure/devops/demo-gen/?view=azure-devops).
1. Sign in using the Microsoft account associated with your Azure DevOps subscription.
diff --git a/labs/azuredevops/secretscan/readme.md b/labs/azuredevops/secretscan/readme.md
new file mode 100644
index 0000000000..13cc768b84
--- /dev/null
+++ b/labs/azuredevops/secretscan/readme.md
@@ -0,0 +1,287 @@
+---
+title: Secret Scanning with Azure DevOps
+layout: page
+sidebar: vsts
+permalink: /labs/azuredevops/secretscan/
+folder: /labs/azuredevops/secretscan/
+version: Lab version - 1.37.1
+updated: Last updated - 22/07/2024
+---
+
+
+
+
+## Prerequisites ##
+In this exercise, you will set up the **Tailwind Traders** project in Azure DevOps to explore the features on GitHub Advanced Security for Azure DevOps (GHAzDO). Complete the following steps to set up the Tailwind Traders project in Azure DevOps from [prerequisites](../prereq-ghas/readme.md).
+
+## Getting Started
+
+If you followed **Module 0 - Setup and Automation** you will have already enabled **_GitHub Advanced Security for Azure DevOps_**, **_Secret Scanning_**, and **_Push Protection_** at the repository level.
+
+Once this is enabled, navigate to https://dev.azure.com/mstechbootcamp/, select your team project **tp-<**yourgithubhandle**>**, and select the **TailwindTraders** repository to begin working through this module.
+
+------
+## Contents
+
+- [Lab 1: Secret Scanning Alerts](#lab-1-secret-scanning-alerts)
+- [Lab 2: Protection of Repositories](#lab-2-protection-of-repositories)
+- [Lab 3: Resolution of Secret Detections](#resolution-of-dependency-detections)
+------
+
+## Overview of Secret Scanning
+Secret Scanning scans your codebase and other resources to identify potential secrets that may have been inadvertently committed and provides alerts to mitigate the risk of exposure. Push protection also prevents any credentials from being leaked in the first place.
+
+Once this is toggled on, it starts off a background scan of this repo and look for exposed credentials. The scan doesn't just look at tip of main, since attackers would look through all the branches and entire commit history.
+
+## Lab 1: Secret Scanning Alerts (Gain Insights)
+The Advance Security Alert hub is where all alerts are raised and where we gain insights, specifically under the category of **Secrets**. When a secret is found, you can click on it to access more information. The secret may be located in different places, including various commits.
+
+### Secrets Review
+1. Go to the **Repos** tab and click on the **Advanced Security** menu item on the bottom.
+2. Click on **Secrets** to see a list of all the exposed Secrets alerts that have been found. This includes the **Alert** and **Introduced** date.
+
+ 
+
+3. Click on **_Microsoft Azure CosmosDB identifiable master key..._** to see more details about the alert and what you can do to clean up the secret.
+
+4. Notice this includes the **Recommendation**, **Locations** found, **Remediation Steps**, **Severity**, and the **Date** it was first intruduced. We can easily clean this up and dismiss the alert.
+
+ 
+
+## Lab 2: Protection of Repositories (Stop the Leak)
+Once a credential touches the repo, it's too late. Hackers might have already exploited it. The only way forward is to eliminate these leaks permanently and to find all the place they're actually being used in production.
+
+> Note: **Good news**, GHAzDO focuses on preventing this in the first place. **Bad news**, these need to be manually fixed. There isn't an Easy Button.
+
+### Push Protection
+Push Protection helps protect your repository by preventing unauthorized or malicious code from being pushed to your repository's branches.
+
+### Updating Secrets
+You can follow these steps to update a file.
+
+1. While viewing the alert details, click on the line of code, **_appsettings.json_**.
+
+ 
+
+2. Click **Edit** to edit the file. This will open up the code editor and highlight the exact location of the secret. In this case, it's in the **.json** file.
+
+3. On **line 31**, update the **MongoConnectionString** to use the correct server name **"ghazdoservername:"**. Be sure to ONLY replace server name and NOT the entire connection string.
+
+ ```json
+ "MongoConnectionString": "mongodb://ghazdoservername:..."
+ ```
+
+4. Click **Commit** to save changes. Enter **fixsecret** for branch name and check **Create a pull request**, then click **Commit** again.
+
+5. The commit was rejected because the repository has both secret and branch protection enabled. This is a good thing! It's preventing us from checking in the exposed secret. Let's fix this.
+
+ 
+
+ > Note: the code went up to the server, analyzed, then rejected, not stored anywhere. Using Secret push scanning, it catches secrets right before it becomes a problem.
+
+**ProTip!** This can't happen during a Pull Request. Once the code has pushed into topic branch, it's too late. PR analysis is best for dependency scanning but not secret push scanning, they are different.
+
+### Fixing Exposed Secrets
+You can follow these steps to fix the exposed secret.
+
+1. Click **Cancel** to return to the code editor.
+
+ > Note: This scenerio is all too common. A developer is testing an applicatioin locally and needs to connect to a database, so what do they do? Of course, just put the connection string in the **appsettings.json** file. They forget to remove it before checking in the code. Now the secret is exposed in the repo, and not just the tip. The exposed credential will still be in the history. This is a huge security hole!
+
+2. On **line 31**, change the **MongoConnectionString** to be empty **""**.
+
+ ```json
+ "MongoConnectionString": ""
+ ```
+
+3. Click **Commit** to save changes. Enter **fixsecret** for branch name and check **Create a pull request**, then click **Commit** again.
+
+ > Note: This step is necessary since the main branch is protected by a pull request pipeline.
+
+4. Click **Create a pull request** to merge the changes into the main branch.
+
+ 
+
+5. Click **Create** on the New pull request page.
+
+6. This will run the **tailwindtraders-pullrequests** pipeline and validate the changes.
+
+7. Once the pipeline has completed, click **Approve** and **Complete**
+
+8. Change **Merge Type** to **Squash commit** and check box **Delete fixsecret after merging**, to merge changes into the main branch.
+
+ 
+
+ > Note: The build will run automatically, initiating the dependency scanning task and publishing the results to Advanced Security and alert automatically closed.
+
+### Dismissing Alert
+You can follow these steps to dismiss the alert.
+
+1. Once the pipeline **tailwindtraders-build.yml** has completed, go to the **Azure DevOps Advanced Security dashboard** and click on **Secrets**.
+
+2. Click on the following item, **_Microsoft Azure CosmosDB identifiable master key..._** to see the exposed secret an how we easily dismiss the alert.
+
+3. Click on **Close alert** to dismiss the alert, and select **Revoked**, then click **Close**.
+
+ 
+
+ > Note: Once the code is merged into **main**, GHAzDO starts off a background scan of this repo and looks for exposed credentials. The scan doesn't just look at tip of main either, since attackers would look through all the branches and entire commit history.
+
+5. Go to the **Azure DevOps Advanced Security dashboard** and click on **Secrets**, you will see a list of all the exposed Secrets alerts that have been found.
+
+6. You will see that the alert **_Microsoft Azure CosmosDB identifiable master key..._** no longer exists, as it is now revoked.
+
+
+Summary
+Exposed credentials pose a significant security risk, as they are responsible for major security breaches. As a developer, it is crucial to take responsibility for fixing these issues rather than ignoring them. Once a credential is present in a repository, it may have already been exploited by hackers. The only effective solution is to permanently eliminate these leaks. It is essential to locate all the instances where the credentials are being used in production systems. This requires actively identifying and replacing each occurrence with a new credential to ensure complete elimination of the compromised credentials.
+
+
+## Lab 3: Resolution of Secret Detections (Fix Issues)
+When a secret is detected in a repository, it is important to take prompt action to remediate the issue and ensure the security of your codebase.
+
+> Note: To keep this example simple, we're going to make 2 code changes for 1 Pull Request in 1 feature branch. In a real-world scenario, you would want to make 2 separate Pull Requests or use an IDE to make all the changes at once.
+
+1. Click **Repos**, click **Branches**, click **New branch**, enter **fixsecret** for the branch name, and click **Create**.
+
+2. Go to the **Azure DevOps Advanced Security dashboard** and click on **Secrets**, you will see a list of all the exposed Secrets alerts that have been found. This includes the **Alert**, **Introduced** date.
+
+3. Click on the following item, **_Azure Logic App SAS_** to see the exposed secret and what we can do to clean up the secret. This includes the **Recommendation**, **Locations** found, **Remediation Steps**, **Severity**, and the **Date** it was first intruduced.
+
+ 
+
+4. Click on the **Locations** to see the code that triggered the alert.
+
+ 
+
+5. This will show you the code that triggered the alert.
+
+6. On line **262**, hightlight the untire URL between the **""** and cut-in-paste into Notepad to save the URL, we'll need it later.
+
+7. Replace the URL with **#{SASURL}#** between the quotes to look like this.
+
+ ```html
+ "url": "#{SASURL}#"
+ ```
+ > Note: This token will be replaced with the actual value during the build process.
+
+10. Click **Commit** to save changes. Confirm **fixsecret** for branch name, then click **Commit** again.
+
+11. Next, we need to update the build pipeline to add a variable. Click on **Pipelines** and click on **tailwindtraders-build.yml**.
+
+12. Click on **Edit** to edit the pipeline. Change to the **fixsecret** branch.
+
+ 
+
+13. Click on **Variables** and click **+ New Variable**. Enter **SASURL** for the name and paste the URL from Notepad into the value field.
+
+ 
+
+14. Click **Keep this value secret** to hide the value, then click **Ok** and **Save**.
+
+15. Next we need to edit the pipeline and add a new build task to replace the **#{SASURL}#** with the actual value.
+
+16. While still in edit mode, add the following task between **Restore** and **Build** tasks, around line **40**. This will replace the **#{SASURL}#** with the actual value in the **_TailwindTradeBot.dialog_** file.
+
+ ```yaml
+ - task: qetza.replacetokens.replacetokens-task.replacetokens@3
+ inputs:
+ targetFiles: '**/*.dialog'
+ encoding: 'auto'
+ tokenPattern: 'custom'
+ tokenPrefix: '#{'
+ tokenSuffix: '}#'
+ verbosity: 'detailed'
+ keepToken: false
+ ```
+
+ Solution
+
+ ```yaml
+ - task: DotNetCoreCLI@2
+ displayName: Restore
+ inputs:
+ command: restore
+ projects: '$(Parameters.RestoreBuildProjects)'
+
+ - task: qetza.replacetokens.replacetokens-task.replacetokens@3
+ inputs:
+ targetFiles: '**/*.dialog'
+ encoding: 'auto'
+ tokenPattern: 'custom'
+ tokenPrefix: '#{'
+ tokenSuffix: '}#'
+ verbosity: 'detailed'
+ keepToken: false
+
+ - task: DotNetCoreCLI@2
+ displayName: Build
+ inputs:
+ projects: '$(Parameters.RestoreBuildProjects)'
+ arguments: '--configuration $(BuildConfiguration)'
+
+ ```
+
+
+17. Select **Commit directly to the fixsecret branch**, then click **Save**.
+
+ 
+
+18. Once the commit is saved, click on **Repos**, click **Pull Requests**, and click **Create a pull request** to merge the changes from branch **fixsecret** into branch **main**.
+
+ 
+
+19. For the Title, enter **Fixed secret by adding a build token**, and click **Create**. This will run the **tailwindtraders-pullrequests** pipeline to validate changes.
+
+20. Once the **tailwindtraders-pullrequests** pipeline has completed, click **Approve** and **Complete**.
+
+21. Change **Merge Type** to **Squash commit** and check box **Delete fixsecret after merging**, to merge changes into the main branch.
+
+ 
+
+**ProTip!** Squash Merge is important. If we just commit, the exposed credential will still be in the history. To avoid this, fix code, use a Squash Merge, push it to repo, and you're done!
+
+> Note: The build will run automatically, initiating the secret scanning task, publish the results to Advanced Security, and alert will automatically closed. However, the exposed issue will still be in the history and must be dismissed.
+
+### Dismissing Alert
+You can follow these steps to dismiss the alert.
+
+1. Once the pipeline **tailwindtraders-build.yml** has completed, go to the **Azure DevOps Advanced Security dashboard** and click on **Secrets**.
+
+2. Click on the following item, **_Azure Logic App SAS..._** to see the exposed secret an how we easily dismiss the alert.
+
+3. Click on **Close alert** to dismiss the alert, and select **Revoked**, then click **Close**.
+
+ 
+
+ > Note: Once the code is merged into **main**, GHAzDO starts off a background scan of this repo and looks for exposed credentials. The scan doesn't just look at tip of main either, since attackers would look through all the branches and entire commit history.
+
+4. Go to the **Azure DevOps Advanced Security dashboard** and click on **Secrets**, you will see a list of all the exposed Secrets alerts that have been found.
+
+5. You will see that the alert **_Azure Logic App SAS..._** no longer exists, as it is now revoked.
+
+> Note: Anyone with contributor permissions for a repository can view a summary of all alerts for a repository but only project administrators can dismiss Advanced Security alerts.
+
+
+Supported Secrets
+
+### Supported Secrets
+The table provides information on the secrets supported by secret scanning. It lists the token provider's name and specifies the type of alert generated for each token. The "User" column indicates tokens for which leaks are reported to users after a push, specifically for repositories with GitHub Advanced Security enabled. The "Push protection" column indicates tokens for which leaks are reported to users upon push, specifically for repositories with both secret scanning and push protection enabled.
+
+
+
+> Note: For entire list, see [Supported Secrets](https://learn.microsoft.com/en-us/azure/devops/repos/security/github-advanced-security-secret-scanning?view=azure-devops#supported-secrets)
+
+
+
+## Congratulations you've made it to the end! 🎉
+
+And with that, you've now concluded **Module 2: Secret Scanning**. You can now move on to your next module (in most cases that will be **Module 3: Code Scanning**).
+
+### References
+
+- [GitHub Advanced Security for Azure DevOps, Secret scanning](https://learn.microsoft.com/en-us/azure/devops/repos/security/github-advanced-security-secret-scanning?view=azure-devops)
+
+- [GitHub Advanced Security for Azure DevOps, Push protection](https://learn.microsoft.com/en-us/azure/devops/repos/security/github-advanced-security-push-protection?view=azure-devops)
+
+- [Replace Tokens task](https://github.com/qetza/vsts-replacetokens-task/tree/master/tasks/ReplaceTokensV3)
+