Skip to content

Commit

Permalink
Minor updates to user-facing content (#24)
Browse files Browse the repository at this point in the history 
* Update README.md

* Update 1-dependency-graph.md

* Update 2-dependabot-alerts.md

* Update 3-dependabot-security.md

* Update 3-dependabot-security.md continued

* Update 4-dependabot-versions.md

* Self-review fixes

* One more fix

* Apply suggestions from code review

Co-authored-by: Vanessa <[email protected]>

---------

Co-authored-by: Vanessa <[email protected]>
  • Loading branch information
@felicitymay @vgrl
felicitymay and vgrl authored May 20, 2024
1 parent 17b3110 commit 84df1bc
Show file tree
Hide file tree
Showing 5 changed files with 85 additions and 57 deletions.
27 changes: 15 additions & 12 deletions .github/steps/1-dependency-graph.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,18 +18,20 @@ GitHub offers a range of features to help you understand the dependencies in you
- Dependencies, the ecosystems and packages it depends on
- Dependents, the repositories and packages that depend on it

### :keyboard: Activity: Verify that dependency graph is enabled
### :keyboard: Activity 1.1: Verify that dependency graph is enabled

**We recommend opening another browser tab to work through the following activities so you can keep these instructions open for reference.**

1. Navigate to the `Settings` tab.
1. Click `Code security and analysis`.
1. Verify/enable **Dependency graph**. (If the repo is private, you will enable it here. If the repo is public, it will be enabled by default)
Dependency graph is enabled by default for all new public repositories. If you're working in a public repository, you can go straight to "Activity 1.2: Add a new dependency and view your dependency graph." For private or internal repositories, you'll need to enable Dependency graph.

### :keyboard: Activity: Add a new dependency and view your dependency graph
1. Navigate to the **Settings** tab.
1. Click **Code security and analysis**.
1. **Enable** "Dependency graph."

1. Navigate to the `Code` tab and locate the `code/src/AttendeeSite` folder.
1. Add the following content to the `package-lock.json` file after the third to last `}`
### :keyboard: Activity 1.2: Add a new dependency and view your dependency graph

1. Navigate to the **Code** tab and locate the `code/src/AttendeeSite` folder.
1. Add the following content to the `package-lock.json` file after the third to last bracket `}` and before the last two brackets.
```
,
"follow-redirects": {
Expand All @@ -38,9 +40,10 @@ GitHub offers a range of features to help you understand the dependencies in you
"integrity": "sha512-HWqDgT7ZEkqRzBvc2s64vSZ/hfOceEol3ac/7tKwzuvEyWx3/4UegXh5oBOIotkGsObyk3xznnSRVADBgWSQVg=="
}
```
1. Navigate to the `Insights` tab.
1. Click `Dependency graph`.
1. Review all new dependencies on the `Dependencies` hub.
1. Navigate to the **Insights** tab.
1. Select **Dependency graph** from the side navigation bar.
1. Review all the dependencies on the **Dependencies** tab.
1. Search for `follow-redirects` and review the new dependency you just added.
![Screen Shot 2022-10-17 at 3 37 36 PM](https://user-images.githubusercontent.com/6351798/196288729-734e3319-c5d7-4f35-a19c-676c12f0e27d.png)
1. Wait about 20 seconds then refresh this page (the one you're following instructions from). [GitHub Actions](https://docs.github.com/en/actions) will automatically update to the next step.
![Screen Shot showing the "follow-redirects" dependency.](https://user-images.githubusercontent.com/6351798/196288729-734e3319-c5d7-4f35-a19c-676c12f0e27d.png)

Wait about 20 seconds then refresh this page (the one you're following instructions from). [GitHub Actions](https://docs.github.com/en/actions) will automatically update to display the next step.
47 changes: 25 additions & 22 deletions .github/steps/2-dependabot-alerts.md
View file
Original file line number Diff line number Diff line change
@@ -1,43 +1,46 @@
## Step 2: Enable and view Dependabot alerts

_Nice work! :tada: You added and viewed a dependency with `dependency graph`!_
_Nice work! :tada: You added and viewed a dependency using Dependency graph!_

Given how many dependencies our repository is using, maintaining them needs to become an automated task. Keeping our code secure is a top priority, so one thing we need to do is set up a way to be notified when a dependency we are using is vulnerable or malware. We can do this by enabling Dependabot alerts!
Given how many dependencies our repository uses, maintaining them needs to become an automated task. Keeping our code secure is a top priority, so the first thing we need to do is set up a way to be notified when a dependency we are using is vulnerable or malware. We can do this by enabling Dependabot alerts.

**What are Dependabot alerts?**: Dependabot alerts tell you that your code depends on a package that is insecure. These Dependabot alerts reference the [GitHub Advisory Database](https://github.com/advisories), which contains a list of known security vulnerabilities and malware, grouped in two categories: **GitHub reviewed advisories** and **unreviewed advisories**.

If your code depends on a package that has a security vulnerability, this can cause a range of problems for your project or the people who use it. You should upgrade to a secure version of the package as soon as possible. If your code uses malware, you need to replace the package with a secure alternative.

Let's try this out with our newly added `follow-redirects` dependency!

### :keyboard: Activity: View security advisories in the GitHub Advisory Database
### :keyboard: Activity 2.1: View security advisories in the GitHub Advisory Database

1. Navigate to the [GitHub Advisory Database](https://github.com/advisories).
1. Type or paste `follow-redirects` into the search box.
1. Click on any of the advisories that were found.
1. Note the packages, impact, patches, workaround, and references for the advisory.
1. Navigate to [GitHub Advisory Database](https://github.com/advisories).
1. Type or paste `follow-redirects` into the advisory search box.
1. Click on any of the advisories that were found to see more information.
1. You'll see the packages, impact, patches, workaround, and references for the advisory.

Notice the list of advisories for our dependency! This can look scary but it's actually a good thing. It means that our dependency is actively being maintained and patches are being pushed to remove the vulnerability. If we had Dependabot alerts enabled, we could receive alerts when we need to update a dependency and act promptly to secure them.
Notice the long list of advisories for our dependency! This can look scary but it's actually a good thing. It means that our dependency is actively being maintained and patches are being pushed to remove the vulnerability. If we had Dependabot alerts enabled, we could receive alerts when we need to update a dependency and act promptly to secure them.

Let's enable Dependabot alerts on our repository!

### :keyboard: Activity: Enable Dependabot alerts
### :keyboard: Activity 2.2: Enable Dependabot alerts

1. Navigate to the `Settings` tab.
1. Click `Code security and analysis`.
1. Click `Enable` Dependabot alerts (**Wait about 60 seconds and then click the `Security` tab at the top of the repository**).
1. Review each of the `Dependabot` alerts under the `Vulnerability alerts` section.
1. Navigate to the **Settings** tab.
1. Display the settings for **Code security and analysis**.
1. **Enable** Dependabot alerts.
1. **Wait about 60 seconds for Dependabot to check for alerts.**
1. Navigate to the **Security** tab.
1. Under "Vulnerability alerts" in the side bar, select **Dependabot** to view a list of the Dependabot alerts for the default branch.

Dependabot has alerted us of vulnerabilities that need to be updated from the dependencies that we are using. Dependabot helps us address these vulnerabilities by creating pull requests for each one as we select and review the alert.
Dependabot has alerted us to vulnerabilities in the dependencies that we use. We can also use Dependabot to help us address these vulnerabilities by creating pull requests to update the dependency to a safe version.

Let's see how this would work by using Dependabot to create a pull request for one of the alerts!

### :keyboard: Activity: Create a pull request based on a Dependabot alert
### :keyboard: Activity 2.3: Create a pull request based on a Dependabot alert

1. Select the `Prototype Pollution in minimist` alert under the `Dependabot alerts` section and click on the alert.
1. Click the `Create Dependabot security update` button (**This will create a pull request for the fix and could take ~2 minutes**).
1. Click the `Review security update` button. The pull request will be displayed.
- You can view the pull request and `Files changed` tab to review the update.
1. Navigate back to the `Conversation` tab and click the `Merge pull request` button.
1. Click `Confirm merge`.
1. Wait about 20 seconds then refresh this page (the one you're following instructions from). [GitHub Actions](https://docs.github.com/en/actions) will automatically update to the next step.
1. In the list of Dependabot alerts, click the "Prototype Pollution in minimist" to display more information.
1. Click the **Create Dependabot security update** button to create a pull request to update the dependency. This could take up to 2 minutes.
1. When the pull request is open, the alert page is updated to show a **Review security update** button.
1. Click the **Review security update** button to display the pull request.
- You can view the pull request and **Files changed** tab to review the update.
1. Navigate back to the **Conversation** tab and merge the pull request.

Wait about 20 seconds then refresh this page (the one you're following instructions from). [GitHub Actions](https://docs.github.com/en/actions) will automatically update to display the next step.
18 changes: 9 additions & 9 deletions .github/steps/3-dependabot-security.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,15 +4,15 @@ _Nice work enabling, viewing, and creating Dependabot alerts :sparkles:_

Enabling Dependabot alerts on our repository was a great step toward improving our code security, but we still had to manually select an alert and then manually select the option to create the pull request. It would be nice to further improve the automation and maintenance of our dependencies! Well, with Dependabot security updates, we can do just that.

**What are Dependabot security updates?**: When enabled, Dependabot will detect and fix vulnerable dependencies for you by opening pull requests automatically to resolve Dependabot alerts when they arise.
**What are Dependabot security updates?**: When this feature is enabled, Dependabot detects *and* fixes vulnerable dependencies for you by opening pull requests automatically to resolve Dependabot alerts.

We manually created the pull request for the `Prototype Pollution in minimist` alert, but let's now enable Dependabot security updates to automate this process with the next alert!
We manually created a pull request to fix the "Prototype Pollution in minimist" alert, but let's enable Dependabot security updates to automate this process for future alerts!

### :keyboard: Activity: Enable and trigger Dependabot security updates
### :keyboard: Activity 3.1: Enable and trigger Dependabot security updates

1. Navigate to the `Settings` tab, select `Code security and analysis`, and enable the `Dependabot security updates`.
1. Navigate to the `Pull requests` repository tab and select the newly created pull request that updates axios from version 0.21.1 to a patched version.
- You may need to wait 30-60 seconds.
1. Click the `Merge pull request` button.
1. Click `Confirm merge`.
1. Wait about 20 seconds then refresh this page (the one you're following instructions from). [GitHub Actions](https://docs.github.com/en/actions) will automatically update to the next step.
1. Navigate to the **Settings** tab and select **Code security and analysis**.
1. Enable Dependabot security updates. You may need to wait 30-60 seconds before you see any new pull requests.
1. Navigate to the **Pull requests** repository tab and select the newly created pull request that updates axios from version 0.21.1 to a patched version.
1. Review and merge the pull request.

Wait about 20 seconds then refresh this page (the one you're following instructions from). [GitHub Actions](https://docs.github.com/en/actions) will automatically update this page to display the next step.
44 changes: 33 additions & 11 deletions .github/steps/4-dependabot-versions.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,20 +2,42 @@

_Nicely done!_ :partying_face:

You now have automated the process for Dependabot to alert and create pull requests to update your dependencies! At this point, you only need to review the pull request and then merge it to stay on top of your security alerts.
You now have automated the process for Dependabot to alert you to vulnerabilities with your dependencies and to create pull requests to update them to secure versions! At this point, you only need to review the pull request and then merge it to stay on top of security problems with Dependencies.

The security updates feature helps automate the process to resolve alerts, but what about just keeping up-to-date with version updates? We can have the same automation to update our dependencies for updated versions using the Dependabot version updates feature.
The security updates feature helps automate the process to resolve alerts, but what about just keeping up-to-date with version updates? We can also automate pull request generation for updated versions of dependencies using the Dependabot version updates feature.

**What are Dependabot version updates?**: In addition to security alerts, Dependabot can also take the effort out of maintaining your dependencies. You can use it to ensure that your repository automatically keeps up with the latest releases of the packages and applications it depends on. Just like security alerts, Dependabot will identify an outdated dependency and create a pull request to update the manifest to the latest version of the dependency.
**What are Dependabot version updates?**: In addition to security alerts, Dependabot can also take the effort out of maintaining your dependencies. You can use it to ensure that your repository automatically keeps up with the latest releases of the packages and applications it depends on. Similar to security alerts, Dependabot will identify an outdated dependency and create a pull request to update the manifest to the latest version of the dependency.

Let's see how this works!

### :keyboard: Activity: Enable and trigger Dependabot version updates
### :keyboard: Activity 4.1: Enable and trigger Dependabot version updates

1. Navigate to the `Settings` tab, select `Code security and analysis`, and enable the `Dependabot version updates`.
- A new file editor opens with pre-poplulated contents. The file is called `dependabot.yml`.
1. Add `nuget` to the `package-ecosystem`.
1. Change the `directory` to `/code/`. (The `dependabot.yml` file should look like this)
![Screen Shot 2022-09-27 at 6 52 45 AM](https://user-images.githubusercontent.com/26442605/192545528-dfc33648-94ce-4421-8710-c5bb0a41b0ec.png)
1. Click `Commit changes` directly to the main branch.
1. Wait about 20 seconds then refresh this page (the one you're following instructions from). [GitHub Actions](https://docs.github.com/en/actions) will automatically update to the next step.
1. Navigate to the **Settings** tab and select **Code security and analysis**.
1. Locate "Dependabot version updates" and click **Configure** to open a new file editor with pre-poplulated contents. The file is called `dependabot.yml`.
1. Notice that the file is prepopulated to update the GitHub actions in the repository, the `github-actions` package ecosystem.
1. Copy the lines that define the GitHub actions updates and append them to the file.
1. Edit your copy of the content:
- Change the `package-ecosystem` to `nuget`.
- Change the `directory` to `/code/`.
- Change the `interval` to `weekly`.

The `dependabot.yml` file should now look like this.
```yaml
version: 2
updates:
- package-ecosystem: "github-actions"
directory: "/"
schedule:
interval: "monthly"
- package-ecosystem: "nuget"
directory: "/code/"
schedule:
interval: "weekly"
```
1. Commit your changes directly to the `main` branch.

You have now configured Dependabot version updates to run and check for updates as follows:
- Check once a month for updates to GitHub Actions and create pull requests to update any that are out of date.
- Check once a week for updates to .NET packages and create pull requests to update any that are out of date. By default, this check runs on a Monday, to run the check on a different day, see [schedule.day](https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#scheduleday).

Wait about 20 seconds then refresh this page (the one you're following instructions from). [GitHub Actions](https://docs.github.com/en/actions) will automatically update to display the next step.
6 changes: 3 additions & 3 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -29,12 +29,12 @@ GitHub helps you secure your supply chain, from understanding the dependencies i
- **Prerequisites**: None
- **Timing**: This course can be completed in under an hour

In this course, you will:
In this course, you will explore:

1. Dependency graph
2. Dependency alerts
3. Dependency security
4. Dependency versions
3. Dependency security updates
4. Dependency versions updates

### How to start this course

Expand Down

0 comments on commit 84df1bc

Please sign in to comment.