amdhyani
diff --git a/‎.github/dependabot.yml‎
Lines changed: 6 additions & 0 deletions b/‎.github/dependabot.yml‎
Lines changed: 6 additions & 0 deletions
diff --git a/‎.github/steps/1-dependency-graph.md‎
Lines changed: 51 additions & 0 deletions b/‎.github/steps/1-dependency-graph.md‎
Lines changed: 51 additions & 0 deletions
diff --git a/‎.github/steps/2-dependabot-alerts.md‎
Lines changed: 47 additions & 0 deletions b/‎.github/steps/2-dependabot-alerts.md‎
Lines changed: 47 additions & 0 deletions
diff --git a/‎.github/steps/3-dependabot-security.md‎
Lines changed: 20 additions & 0 deletions b/‎.github/steps/3-dependabot-security.md‎
Lines changed: 20 additions & 0 deletions
diff --git a/‎.github/steps/4-dependabot-versions.md‎
Lines changed: 46 additions & 0 deletions b/‎.github/steps/4-dependabot-versions.md‎
Lines changed: 46 additions & 0 deletions
diff --git a/‎.github/steps/x-review.md‎
Lines changed: 26 additions & 0 deletions b/‎.github/steps/x-review.md‎
Lines changed: 26 additions & 0 deletions
diff --git a/‎.github/workflows/0-start-exercise.yml‎
Lines changed: 63 additions & 0 deletions b/‎.github/workflows/0-start-exercise.yml‎
Lines changed: 63 additions & 0 deletions
@@ -0,0 +1,6 @@
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "monthly"
@@ -0,0 +1,51 @@
+## Step 1: Review and add dependencies using dependency graph
+
+**What's the big deal about securing your repository's supply chain?**: With the accelerated use of open source, most projects depend on hundreds of open-source dependencies. This poses a security problem: what if the dependencies you're using are vulnerable? You could be putting your users at risk of a supply chain attack. One of the most important things you can do to protect your supply chain is to patch your vulnerable dependencies and replace any malware.
+
+GitHub offers a range of features to help you understand the dependencies in your environment, know about vulnerabilities in those dependencies, and patch them. The supply chain features on GitHub are:
+
+- Dependency graph
+- Dependency review
+- Dependabot alerts
+- Dependabot updates
+  - Dependabot security updates
+  - Dependabot version updates
+
+**What is a dependency graph**: The dependency graph is a summary of the manifest and lock files stored in a repository and any dependencies that are submitted for the repository using the dependency submission API (beta). For each repository, it shows:
+
+- Dependencies, the ecosystems and packages it depends on
+- Dependents, the repositories and packages that depend on it
+
+### :keyboard: Activity 1.1: Verify that dependency graph is enabled
+
+**We recommend opening another browser tab to work through the following activities so you can keep these instructions open for reference.**
+
+>[!NOTE]
+> Dependency graph is enabled by default for all new public repositories.
+
+1. Navigate to the **Settings** tab.
+1. Click **Advanced Security**.
+1. Verify **Dependency Graph** is **Enabled**
+
+### :keyboard: Activity 1.2: Add a new dependency and view your dependency graph
+
+1. Navigate to the **Code** tab and locate the `code/src/AttendeeSite` folder.
+1. Commit the following content on the `main` branch to the `package-lock.json` file as the last item on the `dependencies` map _(after the third to last bracket `}` and before the last two brackets)_
+
+    > 🪧 **Note:** You can edit and commit the file on github.com directly or hit the `.` key to open the lightweight editor to edit and commit changes.
+
+    ```json
+    ,
+    "follow-redirects": {
+      "version": "1.14.1",
+      "resolved": "https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.14.1.tgz",
+      "integrity": "sha512-HWqDgT7ZEkqRzBvc2s64vSZ/hfOceEol3ac/7tKwzuvEyWx3/4UegXh5oBOIotkGsObyk3xznnSRVADBgWSQVg=="
+    }
+    ```
+
+1. Navigate to the **Insights** tab.
+1. Select **Dependency graph** from the side navigation bar.
+1. Review all the dependencies on the **Dependencies** tab.
+1. Search for `follow-redirects` and review the new dependency you just added.
+   ![Screen Shot showing the "follow-redirects" dependency.](https://user-images.githubusercontent.com/6351798/196288729-734e3319-c5d7-4f35-a19c-676c12f0e27d.png)
+1. With the new dependency added, Mona should already be busy checking your work. Give her a moment and keep watch in the comments. You will see her respond with progress info and the next lesson.
@@ -0,0 +1,47 @@
+## Step 2: Enable and view Dependabot alerts
+
+_Nice work! :tada: You added and viewed a dependency using Dependency graph!_
+
+Given how many dependencies our repository uses, maintaining them needs to become an automated task. Keeping our code secure is a top priority, so the first thing we need to do is set up a way to be notified when a dependency we are using is vulnerable or malware. We can do this by enabling Dependabot alerts.
+
+**What are Dependabot alerts?**
+
+Dependabot alerts tell you that your code depends on a package that is insecure. These Dependabot alerts reference the [GitHub Advisory Database](https://github.com/advisories), which contains a list of known security vulnerabilities and malware, grouped in two categories: **GitHub reviewed advisories** and **unreviewed advisories**.
+
+If your code depends on a package that has a security vulnerability, this can cause a range of problems for your project or the people who use it. You should upgrade to a secure version of the package as soon as possible. If your code uses malware, you need to replace the package with a secure alternative.
+
+Let's try this out with our newly added `follow-redirects` dependency!
+
+### :keyboard: Activity 2.1: View security advisories in the GitHub Advisory Database
+
+1. Navigate to [GitHub Advisory Database](https://github.com/advisories).
+1. Type or paste `follow-redirects` into the advisory search box.
+1. Click on any of the advisories that were found to see more information.
+1. You'll see the packages, impact, patches, workaround, and references for the advisory.
+
+Notice the long list of advisories for our dependency! This can look scary but it's actually a good thing. It means that our dependency is actively being maintained and patches are being pushed to remove the vulnerability. If we had Dependabot alerts enabled, we could receive alerts when we need to update a dependency and act promptly to secure them.
+
+Let's enable Dependabot alerts on our repository!
+
+### :keyboard: Activity 2.2: Enable Dependabot alerts
+
+1. Navigate to the **Settings** tab.
+1. Display the settings for **Advanced Security**.
+1. **Enable** Dependabot alerts.
+1. **Wait about 60 seconds for Dependabot to check for alerts.**
+1. Navigate to the **Security** tab.
+1. Under "Vulnerability alerts" in the side bar, select **Dependabot** to view a list of the Dependabot alerts for the default branch.
+
+Dependabot has alerted us to vulnerabilities in the dependencies that we use. We can also use Dependabot to help us address these vulnerabilities by creating pull requests to update the dependency to a safe version.
+
+Let's see how this would work by using Dependabot to create a pull request for one of the alerts!
+
+### :keyboard: Activity 2.3: Create a pull request based on a Dependabot alert
+
+1. In the list of Dependabot alerts, click the "Prototype Pollution in minimist" to display more information.
+1. Click the **Create Dependabot security update** button to create a pull request to update the dependency. This could take up to 2 minutes.
+1. When the pull request is open, the alert page is updated to show a **Review security update** button.
+1. Click the **Review security update** button to display the pull request.
+   - You can view the pull request and **Files changed** tab to review the update.
+1. Navigate back to the **Conversation** tab and merge the pull request.
+1. With the pull request merged, Mona should already be busy checking your work. Give her a moment and keep watch in the comments. You will see her respond with progress info and the next lesson.
@@ -0,0 +1,20 @@
+## Step 3: Enable and trigger Dependabot security updates
+
+_Nice work enabling, viewing, and creating Dependabot alerts :sparkles:_
+
+Enabling Dependabot alerts on our repository was a great step toward improving our code security, but we still had to manually select an alert and then manually select the option to create the pull request. It would be nice to further improve the automation and maintenance of our dependencies! Well, with Dependabot security updates, we can do just that.
+
+**What are Dependabot security updates?**
+
+When this feature is enabled, Dependabot detects *and* fixes vulnerable dependencies for you by opening pull requests automatically to resolve Dependabot alerts.
+
+We manually created a pull request to fix the "Prototype Pollution in minimist" alert, but let's enable Dependabot security updates to automate this process for future alerts!
+
+### :keyboard: Activity 3.1: Enable and trigger Dependabot security updates
+
+1. Navigate to the **Settings** tab and select **Advanced Security**.
+1. Enable **Dependabot security updates**. You may need to wait 30-60 seconds before you see any new pull requests.
+1. Navigate to the **Pull requests** repository tab to view the what Dependabot has found.
+1. Find the new pull request that requests to patch the **axios** dependency.
+1. Review and merge the pull request.
+1. With the pull request merged, Mona should already be busy checking your work. Give her a moment and keep watch in the comments. You will see her respond with progress info and the next lesson.
@@ -0,0 +1,46 @@
+## Step 4: Enable and trigger Dependabot version updates
+
+_Nicely done!_ :partying_face:
+
+You now have automated the process for Dependabot to alert you to vulnerabilities with your dependencies and to create pull requests to update them to secure versions! At this point, you only need to review the pull request and then merge it to stay on top of security problems with Dependencies.
+
+> [!NOTE]  
+> Did you notice that there were several pull requests suggested by Dependabot? You only merged the one related to the **axios** dependency, but the others disappeared from the **Pull requests** panel. That's because the upgrade of the axios dependency triggered changes of other transitive dependencies, that might be either removed or updated to other versions. Whenever there is a change in your dependency graph, Dependabot will automatically review the existing pull requests and close the ones that are no longer relevant. So don't merge everything at once, let Dependabot do the job for you! 
+<img width="955" alt="Screenshot showing that the axios PR was merged and that the 2 others were closed" src="https://github.com/user-attachments/assets/6c97f90b-c6e2-4865-b1eb-dd7053383f07" />
+
+
+The security updates feature helps automate the process to resolve alerts, but what about just keeping up-to-date with version updates? We can also automate pull request generation for updated versions of dependencies using the Dependabot version updates feature.
+
+**What are Dependabot version updates?**: In addition to security alerts, Dependabot can also take the effort out of maintaining your dependencies. You can use it to ensure that your repository automatically keeps up with the latest releases of the packages and applications it depends on. Similar to security alerts, Dependabot will identify an outdated dependency and create a pull request to update the manifest to the latest version of the dependency.
+
+Let's see how this works!
+
+### :keyboard: Activity 4.1: Enable and trigger Dependabot version updates
+
+1. Navigate to the **Settings** tab and select **Advanced Security**.
+1. Locate **Dependabot version updates** and click **Configure** to open a new file editor with pre-poplulated contents. The file is called `dependabot.yml`.
+1. Notice that the file is prepopulated to update the GitHub actions in the repository, the `github-actions` package ecosystem.
+1. Edit your `dependabot.yml` configuration file to include another entry. It should look like:
+
+   ```yaml
+   version: 2
+   updates:
+     - package-ecosystem: "github-actions"
+       directory: "/"
+       schedule:
+         interval: "monthly"
+     - package-ecosystem: "nuget"
+       directory: "/code/"
+       schedule:
+         interval: "weekly"
+   ```
+  
+   > 💡 **Tip:** While, you can edit and commit a file directly on github.com, you can also press the period key `.` to open a lightweight VS Code editor directly in browser.
+
+1. Commit your changes directly to the `main` branch.
+1. With the configuration file updated, Mona should already be busy checking your work. Give her a moment and keep watch in the comments. You will see her respond with progress info and the next lesson.
+
+You have now configured Dependabot version updates to run and check for updates as follows:
+
+- Check once a month for updates to GitHub Actions and create pull requests to update any that are out of date.
+- Check once a week for updates to .NET packages and create pull requests to update any that are out of date. By default, this check runs on a Monday, to run the check on a different day, see [schedule.day](https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#scheduleday).
@@ -0,0 +1,26 @@
+## Review
+
+_Congratulations, you've completed this exercise and learned a lot securing your supply chain!_
+
+<img src="https://octodex.github.com/images/jetpacktocat.png" alt="celebrate" width=200 align=right>
+Here's a recap of all the tasks you've accomplished in your repository:
+
+- You've learned how to view and use dependency graph.
+- You've learned how to enable and use Dependabot alerts.
+- You've learned how to enable and use Dependabot security updates.
+- You've learned how to enable and use Dependabot version updates.
+
+### Additional learning and resources
+
+- [Dependency graph](https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph)
+- [Exploring the dependencies of a repository](https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/exploring-the-dependencies-of-a-repository)
+- [About supply chain security](https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-supply-chain-security)
+- [Dependabot alerts](https://docs.github.com/en/code-security/dependabot/dependabot-alerts/about-dependabot-alerts)
+- [GitHub Advisory Database](https://docs.github.com/en/code-security/dependabot/dependabot-alerts/browsing-security-advisories-in-the-github-advisory-database)
+
+### What's next?
+
+- Learn more about securing your supply chain by reading: [Securing your supply chain](https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-supply-chain-security).
+- Check out other security focused [GitHub Skills exercises](https://learn.github.com/skills).
+- [Read the Get started with GitHub docs](https://docs.github.com/en/get-started).
+- To find projects to contribute to, check out [GitHub Explore](https://github.com/explore).
@@ -0,0 +1,63 @@
+name: Step 0 # Start Exercise
+
+on:
+  push:
+    branches:
+      - main
+
+permissions:
+  contents: write
+  actions: write
+  issues: write
+
+env:
+  STEP_1_FILE: ".github/steps/1-dependency-graph.md"
+
+jobs:
+  start_exercise:
+    if: |
+      !github.event.repository.is_template
+    name: Start Exercise
+    uses: skills/exercise-toolkit/.github/workflows/[email protected]
+    with:
+      exercise-title: "Secure your Repository's Supply Chain"
+      intro-message: "Let's explore how to secure your repository's supply chain, understand dependencies in your environment, and find vulnerabilities in those dependencies and patch them. 💻✨"
+
+  post_next_step_content:
+    name: Post next step content
+    runs-on: ubuntu-latest
+    needs: [start_exercise]
+    env:
+      ISSUE_REPOSITORY: ${{ github.repository }}
+      ISSUE_NUMBER: ${{ needs.start_exercise.outputs.issue-number }}
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+
+      - name: Get response templates
+        uses: actions/checkout@v6
+        with:
+          repository: skills/exercise-toolkit
+          path: exercise-toolkit
+          ref: v0.7.3
+
+      - name: Create comment - add step content
+        uses: GrantBirki/[email protected]
+        with:
+          repository: ${{ env.ISSUE_REPOSITORY }}
+          issue-number: ${{ env.ISSUE_NUMBER }}
+          file: ${{ env.STEP_1_FILE }}
+
+      - name: Create comment - watching for progress
+        uses: GrantBirki/[email protected]
+        with:
+          repository: ${{ env.ISSUE_REPOSITORY }}
+          issue-number: ${{ env.ISSUE_NUMBER }}
+          file: exercise-toolkit/markdown-templates/step-feedback/watching-for-progress.md
+
+      - name: Enable next step workflow
+        run: |
+          gh workflow enable "Step 1"
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}