diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..8ac6b8c --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,6 @@ +version: 2 +updates: + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "monthly" diff --git a/.github/steps/-step.txt b/.github/steps/-step.txt new file mode 100644 index 0000000..573541a --- /dev/null +++ b/.github/steps/-step.txt @@ -0,0 +1 @@ +0 diff --git a/.github/steps/0-welcome.md b/.github/steps/0-welcome.md new file mode 100644 index 0000000..9ff13a5 --- /dev/null +++ b/.github/steps/0-welcome.md @@ -0,0 +1 @@ + diff --git a/.github/steps/1-dependency-graph.md b/.github/steps/1-dependency-graph.md new file mode 100644 index 0000000..d5c71bc --- /dev/null +++ b/.github/steps/1-dependency-graph.md @@ -0,0 +1,46 @@ +## Step 1: Review and add dependencies using dependency graph + +_Welcome to "Secure your repository's supply chain"! :wave:_ + +**What's the big deal about securing your repository's supply chain?**: With the accelerated use of open source, most projects depend on hundreds of open-source dependencies. This poses a security problem: what if the dependencies you're using are vulnerable? You could be putting your users at risk of a supply chain attack. One of the most important things you can do to protect your supply chain is to patch your vulnerable dependencies and replace any malware. + +GitHub offers a range of features to help you understand the dependencies in your environment, know about vulnerabilities in those dependencies, and patch them. The supply chain features on GitHub are: + +- Dependency graph +- Dependency review +- Dependabot alerts +- Dependabot updates + - Dependabot security updates + - Dependabot version updates + +**What is a dependency graph**: The dependency graph is a summary of the manifest and lock files stored in a repository and any dependencies that are submitted for the repository using the dependency submission API (beta). For each repository, it shows: + +- Dependencies, the ecosystems and packages it depends on +- Dependents, the repositories and packages that depend on it + +### :keyboard: Activity: Verify that dependency graph is enabled + +**We recommend opening another browser tab to work through the following activities so you can keep these instructions open for reference.** + +1. Navigate to the `Settings` tab. +1. Click `Code security and analysis`. +1. Verify/enable **Dependency graph**. (If the repo is private, you will enable it here. If the repo is public, it will be enabled by default) + +### :keyboard: Activity: Add a new dependency and view your dependency graph + +1. Navigate to the `Code` tab and locate the `code/src/AttendeeSite` folder. +1. Add the following content to the `package-lock.json` file after the third to last `}` + ``` + , + "follow-redirects": { + "version": "1.14.1", + "resolved": "https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.14.1.tgz", + "integrity": "sha512-HWqDgT7ZEkqRzBvc2s64vSZ/hfOceEol3ac/7tKwzuvEyWx3/4UegXh5oBOIotkGsObyk3xznnSRVADBgWSQVg==" + } + ``` +1. Navigate to the `Insights` tab. +1. Click `Dependency graph`. +1. Review all new dependencies on the `Dependencies` hub. +1. Search for `follow-redirects` and review the new dependency you just added. + ![Screen Shot 2022-10-17 at 3 37 36 PM](https://user-images.githubusercontent.com/6351798/196288729-734e3319-c5d7-4f35-a19c-676c12f0e27d.png) +1. Wait about 20 seconds then refresh this page (the one you're following instructions from). [GitHub Actions](https://docs.github.com/en/actions) will automatically update to the next step. diff --git a/.github/steps/2-dependabot-alerts.md b/.github/steps/2-dependabot-alerts.md new file mode 100644 index 0000000..83cf7f6 --- /dev/null +++ b/.github/steps/2-dependabot-alerts.md @@ -0,0 +1,43 @@ +## Step 2: Enable and view Dependabot alerts + +_Nice work! :tada: You added and viewed a dependency with `dependency graph`!_ + +Given how many dependencies our repository is using, maintaining them needs to become an automated task. Keeping our code secure is a top priority, so one thing we need to do is set up a way to be notified when a dependency we are using is vulnerable or malware. We can do this by enabling Dependabot alerts! + +**What are Dependabot alerts?**: Dependabot alerts tell you that your code depends on a package that is insecure. These Dependabot alerts reference the [GitHub Advisory Database](https://github.com/advisories), which contains a list of known security vulnerabilities and malware, grouped in two categories: **GitHub reviewed advisories** and **unreviewed advisories**. + +If your code depends on a package that has a security vulnerability, this can cause a range of problems for your project or the people who use it. You should upgrade to a secure version of the package as soon as possible. If your code uses malware, you need to replace the package with a secure alternative. + +Let's try this out with our newly added `follow-redirects` dependency! + +### :keyboard: Activity: View security advisories in the GitHub Advisory Database + +1. Navigate to the [GitHub Advisory Database](https://github.com/advisories). +1. Type or paste `follow-redirects` into the search box. +1. Click on any of the advisories that were found. +1. Note the packages, impact, patches, workaround, and references for the advisory. + +Notice the list of advisories for our dependency! This can look scary but it's actually a good thing. It means that our dependency is actively being maintained and patches are being pushed to remove the vulnerability. If we had Dependabot alerts enabled, we could receive alerts when we need to update a dependency and act promptly to secure them. + +Let's enable Dependabot alerts on our repository! + +### :keyboard: Activity: Enable Dependabot alerts + +1. Navigate to the `Settings` tab. +1. Click `Code security and analysis`. +1. Click `Enable` Dependabot alerts (**Wait about 60 seconds and then click the `Security` tab at the top of the repository**). +1. Review each of the `Dependabot` alerts under the `Vulnerability alerts` section. + +Dependabot has alerted us of vulnerabilities that need to be updated from the dependencies that we are using. Dependabot helps us address these vulnerabilities by creating pull requests for each one as we select and review the alert. + +Let's see how this would work by using Dependabot to create a pull request for one of the alerts! + +### :keyboard: Activity: Create a pull request based on a Dependabot alert + +1. Select the `Prototype Pollution in minimist` alert under the `Dependabot alerts` section and click on the alert. +1. Click the `Create Dependabot security update` button (**This will create a pull request for the fix and could take ~2 minutes**). +1. Click the `Review security update` button. The pull request will be displayed. + - You can view the pull request and `Files changed` tab to review the update. +1. Navigate back to the `Conversation` tab and click the `Merge pull request` button. +1. Click `Confirm merge`. +1. Wait about 20 seconds then refresh this page (the one you're following instructions from). [GitHub Actions](https://docs.github.com/en/actions) will automatically update to the next step. diff --git a/.github/steps/3-dependabot-security.md b/.github/steps/3-dependabot-security.md new file mode 100644 index 0000000..79d78ba --- /dev/null +++ b/.github/steps/3-dependabot-security.md @@ -0,0 +1,18 @@ +## Step 3: Enable and trigger Dependabot security updates + +_Nice work enabling, viewing, and creating Dependabot alerts :sparkles:_ + +Enabling Dependabot alerts on our repository was a great step toward improving our code security, but we still had to manually select an alert and then manually select the option to create the pull request. It would be nice to further improve the automation and maintenance of our dependencies! Well, with Dependabot security updates, we can do just that. + +**What are Dependabot security updates?**: When enabled, Dependabot will detect and fix vulnerable dependencies for you by opening pull requests automatically to resolve Dependabot alerts when they arise. + +We manually created the pull request for the `Prototype Pollution in minimist` alert, but let's now enable Dependabot security updates to automate this process with the next alert! + +### :keyboard: Activity: Enable and trigger Dependabot security updates + +1. Navigate to the `Settings` tab, select `Code security and analysis`, and enable the `Dependabot security updates`. +1. Navigate to the `Pull requests` repository tab and select the newly created pull request that updates axios from version 0.21.1 to a patched version. + - You may need to wait 30-60 seconds. +1. Click the `Merge pull request` button. +1. Click `Confirm merge`. +1. Wait about 20 seconds then refresh this page (the one you're following instructions from). [GitHub Actions](https://docs.github.com/en/actions) will automatically update to the next step. diff --git a/.github/steps/4-dependabot-versions.md b/.github/steps/4-dependabot-versions.md new file mode 100644 index 0000000..3e8fe66 --- /dev/null +++ b/.github/steps/4-dependabot-versions.md @@ -0,0 +1,21 @@ +## Step 4: Enable and trigger Dependabot version updates + +_Nicely done!_ :partying_face: + +You now have automated the process for Dependabot to alert and create pull requests to update your dependencies! At this point, you only need to review the pull request and then merge it to stay on top of your security alerts. + +The security updates feature helps automate the process to resolve alerts, but what about just keeping up-to-date with version updates? We can have the same automation to update our dependencies for updated versions using the Dependabot version updates feature. + +**What are Dependabot version updates?**: In addition to security alerts, Dependabot can also take the effort out of maintaining your dependencies. You can use it to ensure that your repository automatically keeps up with the latest releases of the packages and applications it depends on. Just like security alerts, Dependabot will identify an outdated dependency and create a pull request to update the manifest to the latest version of the dependency. + +Let's see how this works! + +### :keyboard: Activity: Enable and trigger Dependabot version updates + +1. Navigate to the `Settings` tab, select `Code security and analysis`, and enable the `Dependabot version updates`. + - A new file editor opens with pre-poplulated contents. The file is called `dependabot.yml`. +1. Add `nuget` to the `package-ecosystem`. +1. Change the `directory` to `/code/`. (The `dependabot.yml` file should look like this) + ![Screen Shot 2022-09-27 at 6 52 45 AM](https://user-images.githubusercontent.com/26442605/192545528-dfc33648-94ce-4421-8710-c5bb0a41b0ec.png) +1. Click `Commit changes` directly to the main branch. +1. Wait about 20 seconds then refresh this page (the one you're following instructions from). [GitHub Actions](https://docs.github.com/en/actions) will automatically update to the next step. diff --git a/.github/steps/X-finish.md b/.github/steps/X-finish.md new file mode 100644 index 0000000..f67dfa1 --- /dev/null +++ b/.github/steps/X-finish.md @@ -0,0 +1,28 @@ +## Finish + +_Congratulations friend, you've completed this course!_ + +celebrate + +Here's a recap of all the tasks you've accomplished in your repository: + +- You've learned how to view and use dependency graph. +- You've learned how to enable and use Dependabot alerts. +- You've learned how to enable and use Dependabot security updates. +- You've learned how to enable and use Dependabot version updates. + +### Additional learning and resources + +- [Dependency graph](https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph) +- [Exploring the dependencies of a repository](https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/exploring-the-dependencies-of-a-repository) +- [About supply chain security](https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-supply-chain-security) +- [Dependabot alerts](https://docs.github.com/en/code-security/dependabot/dependabot-alerts/about-dependabot-alerts) +- [GitHub Advisory Database](https://docs.github.com/en/code-security/dependabot/dependabot-alerts/browsing-security-advisories-in-the-github-advisory-database) + +### What's next? + +- Learn more about securing your supply chain by reading: [Securing your supply chain](https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-supply-chain-security). +- [We'd love to hear what you thought of this course](https://github.com/skills/.github/discussions). +- [Learn another GitHub skill](https://github.com/skills). +- [Read the Get started with GitHub docs](https://docs.github.com/en/get-started). +- To find projects to contribute to, check out [GitHub Explore](https://github.com/explore). diff --git a/.github/workflows/0-welcome.yml b/.github/workflows/0-welcome.yml new file mode 100644 index 0000000..7c6c394 --- /dev/null +++ b/.github/workflows/0-welcome.yml @@ -0,0 +1,61 @@ +name: Step 0, Welcome + +# This step triggers after the learner creates a new repository from the template. +# This workflow updates from step 0 to step 1. + +# This will run every time we create push a commit to `main`. +# Reference: https://docs.github.com/en/actions/learn-github-actions/events-that-trigger-workflows +on: + create: + workflow_dispatch: + +# Reference: https://docs.github.com/en/actions/security-guides/automatic-token-authentication +permissions: + # Need `contents: read` to checkout the repository. + # Need `contents: write` to update the step metadata. + contents: write + +jobs: + # Get the current step to only run the main job when the learner is on the same step. + get_current_step: + name: Check current step number + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v4 + - id: get_step + run: | + echo "current_step=$(cat ./.github/steps/-step.txt)" >> $GITHUB_OUTPUT + outputs: + current_step: ${{ steps.get_step.outputs.current_step }} + + on_start: + name: On start + needs: get_current_step + + # We will only run this action when: + # 1. This repository isn't the template repository. + # 2. The step is currently 0. + # Reference: https://docs.github.com/en/actions/learn-github-actions/contexts + # Reference: https://docs.github.com/en/actions/learn-github-actions/expressions + if: >- + ${{ !github.event.repository.is_template + && needs.get_current_step.outputs.current_step == 0 }} + + # We'll run Ubuntu for performance instead of Mac or Windows. + runs-on: ubuntu-latest + + steps: + # We'll need to check out the repository so that we can edit the README. + - name: Checkout + uses: actions/checkout@v4 + with: + fetch-depth: 0 # Let's get all the branches. + + # In README.md, switch step 0 for step 1. + - name: Update to step 1 + uses: skills/action-update-step@v2 + with: + token: ${{ secrets.GITHUB_TOKEN }} + from_step: 0 + to_step: 1 diff --git a/.github/workflows/1-dependency-graph.yml b/.github/workflows/1-dependency-graph.yml new file mode 100644 index 0000000..0214cb2 --- /dev/null +++ b/.github/workflows/1-dependency-graph.yml @@ -0,0 +1,68 @@ +name: Step 1, Review add dependency graph + +# This step triggers after push to main. +# This workflow updates from step 1 to step 2. + +# This will run every time we push to main. +# Reference: https://docs.github.com/en/actions/learn-github-actions/events-that-trigger-workflows +on: + workflow_dispatch: + push: + branches: + - main + +# Reference: https://docs.github.com/en/actions/security-guides/automatic-token-authentication +permissions: + # Need `contents: read` to checkout the repository. + # Need `contents: write` to update the step metadata. + contents: write + +jobs: + # Get the current step to only run the main job when the learner is on the same step. + get_current_step: + name: Check current step number + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v4 + - id: get_step + run: | + echo "current_step=$(cat ./.github/steps/-step.txt)" >> $GITHUB_OUTPUT + outputs: + current_step: ${{ steps.get_step.outputs.current_step }} + + on_add_dependency: + name: On Add dependency + needs: get_current_step + + # We will only run this action when: + # 1. This repository isn't the template repository. + # 2. The step is currently 0. + # Reference: https://docs.github.com/en/actions/learn-github-actions/contexts + # Reference: https://docs.github.com/en/actions/learn-github-actions/expressions + if: >- + ${{ !github.event.repository.is_template + && needs.get_current_step.outputs.current_step == 1 }} + + # We'll run Ubuntu for performance instead of Mac or Windows. + runs-on: ubuntu-latest + + steps: + # We'll need to check out the repository so that we can edit the README. + - name: Checkout + uses: actions/checkout@v4 + + # Verify the learner added the file contents. + - name: Check package-lock.json + uses: skills/action-check-file@v1 + with: + file: "code/src/AttendeeSite/package-lock.json" + search: "1\\.14\\.1" + + # In README.md, switch step 1 for step 2. + - name: Update to step 2 + uses: skills/action-update-step@v2 + with: + token: ${{ secrets.GITHUB_TOKEN }} + from_step: 1 + to_step: 2 diff --git a/.github/workflows/2-dependabot-alerts.yml b/.github/workflows/2-dependabot-alerts.yml new file mode 100644 index 0000000..7f7ff67 --- /dev/null +++ b/.github/workflows/2-dependabot-alerts.yml @@ -0,0 +1,77 @@ +name: Step 2, Dependabot alerts + +# This step triggers after push to main. +# This workflow updates from step 2 to step 3. + +# This will run every time we push to main. +# Reference: https://docs.github.com/en/actions/learn-github-actions/events-that-trigger-workflows +on: + workflow_dispatch: + push: + branches: + - main + +# Reference: https://docs.github.com/en/actions/security-guides/automatic-token-authentication +permissions: + # Need `contents: read` to checkout the repository. + # Need `contents: write` to update the step metadata. + contents: write + +jobs: + # Get the current step to only run the main job when the learner is on the same step. + get_current_step: + name: Check current step number + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v4 + - id: get_step + run: | + echo "current_step=$(cat ./.github/steps/-step.txt)" >> $GITHUB_OUTPUT + outputs: + current_step: ${{ steps.get_step.outputs.current_step }} + + on_DependabotPrCreated: + name: On Creation of a PR + needs: get_current_step + + # We will only run this action when: + # 1. This repository isn't the template repository. + # 2. The step is currently 2. + # Reference: https://docs.github.com/en/actions/learn-github-actions/contexts + # Reference: https://docs.github.com/en/actions/learn-github-actions/expressions + if: >- + ${{ !github.event.repository.is_template + && needs.get_current_step.outputs.current_step == 2 }} + + # We'll run Ubuntu for performance instead of Mac or Windows. + runs-on: ubuntu-latest + + steps: + # We'll need to check out the repository so that we can edit the README. + - name: Checkout + uses: actions/checkout@v4 + with: + fetch-depth: 0 # Let's get all the branches. + + # Verify the PR updated package.json. + - name: Check package.json for minimist version other than 1.2.5 + uses: skills/action-check-file@v1 + with: + file: "code/src/AttendeeSite/package.json" + search: "\"minimist\":[\ \\n\\r\\t]*\"\\^(?!1\\.2\\.[0-5])(0|[1-9][0-9]*)\\.(0|[1-9][0-9]*)\\.(0|[1-9][0-9]*)(?:-((?:0|[1-9][0-9]*|[0-9]*[a-zA-Z-][0-9a-zA-Z-]*)(?:\\.(?:0|[1-9][0-9]*|[0-9]*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\\+([0-9a-zA-Z-]+(?:\\.[0-9a-zA-Z-]+)*))?\"" + + # Verify the PR updated package-lock.json. + - name: Check package-lock.json for minimist version other than 1.2.5 + uses: skills/action-check-file@v1 + with: + file: "code/src/AttendeeSite/package-lock.json" + search: "minimist-(?!1\\.2\\.[0-5])(0|[1-9][0-9]*)\\.(0|[1-9][0-9]*)\\.(0|[1-9][0-9]*)(?:-((?:0|[1-9][0-9]*|[0-9]*[a-zA-Z-][0-9a-zA-Z-]*)(?:\\.(?:0|[1-9][0-9]*|[0-9]*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\\+([0-9a-zA-Z-]+(?:\\.[0-9a-zA-Z-]+)*))?" + + # In README.md, switch step 2 for step 3. + - name: Update to step 3 + uses: skills/action-update-step@v2 + with: + token: ${{ secrets.GITHUB_TOKEN }} + from_step: 2 + to_step: 3 diff --git a/.github/workflows/3-dependabot-security.yml b/.github/workflows/3-dependabot-security.yml new file mode 100644 index 0000000..8320951 --- /dev/null +++ b/.github/workflows/3-dependabot-security.yml @@ -0,0 +1,77 @@ +name: Step 3, Dependabot Security Updates + +# This step triggers after push to main. +# This workflow updates from step 3 to step 4. + +# This will run every time we push to main. +# Reference: https://docs.github.com/en/actions/learn-github-actions/events-that-trigger-workflows +on: + workflow_dispatch: + push: + branches: + - main + +# Reference: https://docs.github.com/en/actions/security-guides/automatic-token-authentication +permissions: + # Need `contents: read` to checkout the repository. + # Need `contents: write` to update the step metadata. + contents: write + +jobs: + # Get the current step to only run the main job when the learner is on the same step. + get_current_step: + name: Check current step number + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v4 + - id: get_step + run: | + echo "current_step=$(cat ./.github/steps/-step.txt)" >> $GITHUB_OUTPUT + outputs: + current_step: ${{ steps.get_step.outputs.current_step }} + + on_DependabotSecurityUpdates: + name: On Dependabot Security Updates + needs: get_current_step + + # We will only run this action when: + # 1. This repository isn't the template repository. + # 2. The step is currently 3. + # Reference: https://docs.github.com/en/actions/learn-github-actions/contexts + # Reference: https://docs.github.com/en/actions/learn-github-actions/expressions + if: >- + ${{ !github.event.repository.is_template + && needs.get_current_step.outputs.current_step == 3 }} + + # We'll run Ubuntu for performance instead of Mac or Windows. + runs-on: ubuntu-latest + + steps: + # We'll need to check out the repository so that we can edit the README. + - name: Checkout + uses: actions/checkout@v4 + with: + fetch-depth: 0 # Let's get all the branches. + + # Verify the PR added the dependabot changes. + - name: Check package.json for axios version other than 0.21.1 + uses: skills/action-check-file@v1 + with: + file: "code/src/AttendeeSite/package.json" + search: "\"axios\":[\ \\n\\r\\t]*\"\\^(?!0\\.21\\.[01])(0|[1-9][0-9]*)\\.(0|[1-9][0-9]*)\\.(0|[1-9][0-9]*)(?:-((?:0|[1-9][0-9]*|[0-9]*[a-zA-Z-][0-9a-zA-Z-]*)(?:\\.(?:0|[1-9][0-9]*|[0-9]*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\\+([0-9a-zA-Z-]+(?:\\.[0-9a-zA-Z-]+)*))?\"" + + # Verify the PR added the dependabot changes. + - name: Check package-lock.json for axios version other than 0.21.1 + uses: skills/action-check-file@v1 + with: + file: "code/src/AttendeeSite/package-lock.json" + search: "axios-(?!0\\.21\\.[01])(0|[1-9][0-9]*)\\.(0|[1-9][0-9]*)\\.(0|[1-9][0-9]*)(?:-((?:0|[1-9][0-9]*|[0-9]*[a-zA-Z-][0-9a-zA-Z-]*)(?:\\.(?:0|[1-9][0-9]*|[0-9]*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\\+([0-9a-zA-Z-]+(?:\\.[0-9a-zA-Z-]+)*))?" + + # In README.md, switch step 3 for step 4. + - name: Update to step 4 + uses: skills/action-update-step@v2 + with: + token: ${{ secrets.GITHUB_TOKEN }} + from_step: 3 + to_step: 4 diff --git a/.github/workflows/4-dependabot-versions.yml b/.github/workflows/4-dependabot-versions.yml new file mode 100644 index 0000000..636c8a9 --- /dev/null +++ b/.github/workflows/4-dependabot-versions.yml @@ -0,0 +1,72 @@ +name: Step 4, Add Dependabot version updates + +# This step triggers after push to dependabot.yml. +# This step updates from step 4 to X. + +# This will run every time we push to dependabot.yml. +# Reference: https://docs.github.com/en/actions/learn-github-actions/events-that-trigger-workflows +on: + workflow_dispatch: + push: + branches: + - main + paths: + - ".github/dependabot.yml" + +# Reference: https://docs.github.com/en/actions/security-guides/automatic-token-authentication +permissions: + # Need `contents: read` to checkout the repository. + # Need `contents: write` to update the step metadata. + contents: write + +jobs: + # Get the current step to only run the main job when the learner is on the same step. + get_current_step: + name: Check current step number + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v4 + - id: get_step + run: | + echo "current_step=$(cat ./.github/steps/-step.txt)" >> $GITHUB_OUTPUT + outputs: + current_step: ${{ steps.get_step.outputs.current_step }} + + on_dependabot_versions: + name: On dependabot versions + needs: get_current_step + + # We will only run this action when: + # 1. This repository isn't the template repository. + # 2. The step is currently 4. + # Reference: https://docs.github.com/en/actions/learn-github-actions/contexts + # Reference: https://docs.github.com/en/actions/learn-github-actions/expressions + if: >- + ${{ !github.event.repository.is_template + && needs.get_current_step.outputs.current_step == 4 }} + + # We'll run Ubuntu for performance instead of Mac or Windows. + runs-on: ubuntu-latest + + steps: + # We'll need to check out the repository so that we can edit the README. + - name: Checkout + uses: actions/checkout@v4 + with: + fetch-depth: 0 # Let's get all the branches. + + # Verify the learner added the file contents. + - name: Check dependabot.yml + uses: skills/action-check-file@v1 + with: + file: ".github/dependabot.yml" + search: "nuget" + + # In README.md, switch step 3 for step X. + - name: Update to step X + uses: skills/action-update-step@v2 + with: + token: ${{ secrets.GITHUB_TOKEN }} + from_step: 4 + to_step: X diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..773bfd6 --- /dev/null +++ b/.gitignore @@ -0,0 +1,37 @@ +# Compiled source # +################### +*.com +*.class +*.dll +*.exe +*.o +*.so + +# Packages # +############ +# it's better to unpack these files and commit the raw source +# git has its own built in compression methods +*.7z +*.dmg +*.gz +*.iso +*.jar +*.rar +*.tar +*.zip + +# Logs and databases # +###################### +*.log +*.sql +*.sqlite + +# OS generated files # +###################### +.DS_Store +.DS_Store? +._* +.Spotlight-V100 +.Trashes +ehthumbs.db +Thumbs.db diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000..6c5bc3d --- /dev/null +++ b/LICENSE @@ -0,0 +1,7 @@ +Copyright (c) GitHub, Inc. + +Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the “Software”), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. diff --git a/README.md b/README.md new file mode 100644 index 0000000..efb68d4 --- /dev/null +++ b/README.md @@ -0,0 +1,74 @@ +
+ + + +# Secure your repository's supply chain + +_Secure your supply chain, understand dependencies in your environment, know about vulnerabilities in those dependencies and patch them._ + +
+ + + +## Welcome + +GitHub helps you secure your supply chain, from understanding the dependencies in your environment, to knowing about vulnerabilities in those dependencies and patching them. + +- **Who this is for**: Developers, DevOps Engineers, Site Reliability Engineers, Security experts +- **What you'll learn**: How to view repository dependencies, view Dependabot alerts, and enable Dependabot security and version updates +- **What you'll build**: Repository dependencies, Dependabot alerts, pull requests to fix dependencies and version updates +- **Prerequisites**: None +- **Timing**: This course can be completed in under an hour + +In this course, you will: + +1. Dependency graph +2. Dependency alerts +3. Dependency security +4. Dependency versions + +### How to start this course + + + +[![start-course](https://user-images.githubusercontent.com/1221423/235727646-4a590299-ffe5-480d-8cd5-8194ea184546.svg)](https://github.com/new?owner=&template_name=secure-repository-supply-chain&template_owner=skills&name=skills-secure-repository-supply-chain&visibility=public) + +1. Right-click **Start course** and open the link in a new tab. +2. In the new tab, most of the prompts will automatically fill in for you. + - For owner, choose your personal account or an organization to host the repository. + - We recommend creating a public repository, as private repositories will [use Actions minutes](https://docs.github.com/en/billing/managing-billing-for-github-actions/about-billing-for-github-actions). + - Scroll down and click the **Create repository** button at the bottom of the form. +3. After your new repository is created, wait about 20 seconds, then refresh the page. Follow the step-by-step instructions in the new repository's README. + + diff --git a/code/Bootcamp.sln b/code/Bootcamp.sln new file mode 100644 index 0000000..324a1d0 --- /dev/null +++ b/code/Bootcamp.sln @@ -0,0 +1,71 @@ + +Microsoft Visual Studio Solution File, Format Version 12.00 +# Visual Studio Version 16 +VisualStudioVersion = 16.0.30114.105 +MinimumVisualStudioVersion = 10.0.40219.1 +Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "src", "src", "{B26D43AA-4A35-4035-9E99-48EF9A3E64DD}" +EndProject +Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Attendee", "src\Attendee\Attendee.csproj", "{2804EC63-670C-4970-85E4-2A63C9327FF8}" +EndProject +Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "test", "test", "{348A52EC-7046-4D1A-88DB-55B025C2BB68}" +EndProject +Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "AttendeeTest", "test\AttendeeTest\AttendeeTest.csproj", "{DED76823-F195-46D4-8509-5692E3431D53}" +EndProject +Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "AttendeeSite", "src\AttendeeSite\AttendeeSite.csproj", "{024C85A1-1144-4D1A-ADCC-010845B94620}" +EndProject +Global + GlobalSection(SolutionConfigurationPlatforms) = preSolution + Debug|Any CPU = Debug|Any CPU + Debug|x64 = Debug|x64 + Debug|x86 = Debug|x86 + Release|Any CPU = Release|Any CPU + Release|x64 = Release|x64 + Release|x86 = Release|x86 + EndGlobalSection + GlobalSection(SolutionProperties) = preSolution + HideSolutionNode = FALSE + EndGlobalSection + GlobalSection(ProjectConfigurationPlatforms) = postSolution + {2804EC63-670C-4970-85E4-2A63C9327FF8}.Debug|Any CPU.ActiveCfg = Debug|Any CPU + {2804EC63-670C-4970-85E4-2A63C9327FF8}.Debug|Any CPU.Build.0 = Debug|Any CPU + {2804EC63-670C-4970-85E4-2A63C9327FF8}.Debug|x64.ActiveCfg = Debug|Any CPU + {2804EC63-670C-4970-85E4-2A63C9327FF8}.Debug|x64.Build.0 = Debug|Any CPU + {2804EC63-670C-4970-85E4-2A63C9327FF8}.Debug|x86.ActiveCfg = Debug|Any CPU + {2804EC63-670C-4970-85E4-2A63C9327FF8}.Debug|x86.Build.0 = Debug|Any CPU + {2804EC63-670C-4970-85E4-2A63C9327FF8}.Release|Any CPU.ActiveCfg = Release|Any CPU + {2804EC63-670C-4970-85E4-2A63C9327FF8}.Release|Any CPU.Build.0 = Release|Any CPU + {2804EC63-670C-4970-85E4-2A63C9327FF8}.Release|x64.ActiveCfg = Release|Any CPU + {2804EC63-670C-4970-85E4-2A63C9327FF8}.Release|x64.Build.0 = Release|Any CPU + {2804EC63-670C-4970-85E4-2A63C9327FF8}.Release|x86.ActiveCfg = Release|Any CPU + {2804EC63-670C-4970-85E4-2A63C9327FF8}.Release|x86.Build.0 = Release|Any CPU + {DED76823-F195-46D4-8509-5692E3431D53}.Debug|Any CPU.ActiveCfg = Debug|Any CPU + {DED76823-F195-46D4-8509-5692E3431D53}.Debug|Any CPU.Build.0 = Debug|Any CPU + {DED76823-F195-46D4-8509-5692E3431D53}.Debug|x64.ActiveCfg = Debug|Any CPU + {DED76823-F195-46D4-8509-5692E3431D53}.Debug|x64.Build.0 = Debug|Any CPU + {DED76823-F195-46D4-8509-5692E3431D53}.Debug|x86.ActiveCfg = Debug|Any CPU + {DED76823-F195-46D4-8509-5692E3431D53}.Debug|x86.Build.0 = Debug|Any CPU + {DED76823-F195-46D4-8509-5692E3431D53}.Release|Any CPU.ActiveCfg = Release|Any CPU + {DED76823-F195-46D4-8509-5692E3431D53}.Release|Any CPU.Build.0 = Release|Any CPU + {DED76823-F195-46D4-8509-5692E3431D53}.Release|x64.ActiveCfg = Release|Any CPU + {DED76823-F195-46D4-8509-5692E3431D53}.Release|x64.Build.0 = Release|Any CPU + {DED76823-F195-46D4-8509-5692E3431D53}.Release|x86.ActiveCfg = Release|Any CPU + {DED76823-F195-46D4-8509-5692E3431D53}.Release|x86.Build.0 = Release|Any CPU + {024C85A1-1144-4D1A-ADCC-010845B94620}.Debug|Any CPU.ActiveCfg = Debug|Any CPU + {024C85A1-1144-4D1A-ADCC-010845B94620}.Debug|Any CPU.Build.0 = Debug|Any CPU + {024C85A1-1144-4D1A-ADCC-010845B94620}.Debug|x64.ActiveCfg = Debug|Any CPU + {024C85A1-1144-4D1A-ADCC-010845B94620}.Debug|x64.Build.0 = Debug|Any CPU + {024C85A1-1144-4D1A-ADCC-010845B94620}.Debug|x86.ActiveCfg = Debug|Any CPU + {024C85A1-1144-4D1A-ADCC-010845B94620}.Debug|x86.Build.0 = Debug|Any CPU + {024C85A1-1144-4D1A-ADCC-010845B94620}.Release|Any CPU.ActiveCfg = Release|Any CPU + {024C85A1-1144-4D1A-ADCC-010845B94620}.Release|Any CPU.Build.0 = Release|Any CPU + {024C85A1-1144-4D1A-ADCC-010845B94620}.Release|x64.ActiveCfg = Release|Any CPU + {024C85A1-1144-4D1A-ADCC-010845B94620}.Release|x64.Build.0 = Release|Any CPU + {024C85A1-1144-4D1A-ADCC-010845B94620}.Release|x86.ActiveCfg = Release|Any CPU + {024C85A1-1144-4D1A-ADCC-010845B94620}.Release|x86.Build.0 = Release|Any CPU + EndGlobalSection + GlobalSection(NestedProjects) = preSolution + {2804EC63-670C-4970-85E4-2A63C9327FF8} = {B26D43AA-4A35-4035-9E99-48EF9A3E64DD} + {DED76823-F195-46D4-8509-5692E3431D53} = {348A52EC-7046-4D1A-88DB-55B025C2BB68} + {024C85A1-1144-4D1A-ADCC-010845B94620} = {B26D43AA-4A35-4035-9E99-48EF9A3E64DD} + EndGlobalSection +EndGlobal diff --git a/code/readme.md b/code/readme.md new file mode 100644 index 0000000..e69de29 diff --git a/code/src/Attendee/Attendee.cs b/code/src/Attendee/Attendee.cs new file mode 100644 index 0000000..7bda319 --- /dev/null +++ b/code/src/Attendee/Attendee.cs @@ -0,0 +1,24 @@ +using System; +using System.IO; +using System.IO.Compression; + +namespace Attendees +{ + + public class Attendee + { + public void WriteToDirectory(ZipArchiveEntry entry, string destDirectory) + { + string destFileName = Path.Combine(destDirectory, entry.FullName); + entry.ExtractToFile(destFileName); + } + + public bool AddAttendee(string added) + { + if (added == "exists") { + return true; + } + return false; + } + } +} \ No newline at end of file diff --git a/code/src/Attendee/Attendee.csproj b/code/src/Attendee/Attendee.csproj new file mode 100644 index 0000000..563e6f9 --- /dev/null +++ b/code/src/Attendee/Attendee.csproj @@ -0,0 +1,7 @@ + + + + net5.0 + + + diff --git a/code/src/AttendeeSite/Attendee.js b/code/src/AttendeeSite/Attendee.js new file mode 100644 index 0000000..7275051 --- /dev/null +++ b/code/src/AttendeeSite/Attendee.js @@ -0,0 +1,3 @@ +function attendeeName() { + document.getElementById("Name").innerHTML = "Enter Name."; +} diff --git a/code/src/AttendeeSite/AttendeeSite.csproj b/code/src/AttendeeSite/AttendeeSite.csproj new file mode 100644 index 0000000..c6493c4 --- /dev/null +++ b/code/src/AttendeeSite/AttendeeSite.csproj @@ -0,0 +1,11 @@ + + + + net5.0 + + + + + + + diff --git a/code/src/AttendeeSite/Controllers/WeatherForecastController.cs b/code/src/AttendeeSite/Controllers/WeatherForecastController.cs new file mode 100644 index 0000000..ecb4690 --- /dev/null +++ b/code/src/AttendeeSite/Controllers/WeatherForecastController.cs @@ -0,0 +1,39 @@ +using System; +using System.Collections.Generic; +using System.Linq; +using System.Threading.Tasks; +using Microsoft.AspNetCore.Mvc; +using Microsoft.Extensions.Logging; + +namespace AttendeeSite.Controllers +{ + [ApiController] + [Route("[controller]")] + public class WeatherForecastController : ControllerBase + { + private static readonly string[] Summaries = new[] + { + "Freezing", "Bracing", "Chilly", "Cool", "Mild", "Warm", "Balmy", "Hot", "Sweltering", "Scorching" + }; + + private readonly ILogger _logger; + + public WeatherForecastController(ILogger logger) + { + _logger = logger; + } + + [HttpGet] + public IEnumerable Get() + { + var rng = new Random(); + return Enumerable.Range(1, 5).Select(index => new WeatherForecast + { + Date = DateTime.Now.AddDays(index), + TemperatureC = rng.Next(-20, 55), + Summary = Summaries[rng.Next(Summaries.Length)] + }) + .ToArray(); + } + } +} diff --git a/code/src/AttendeeSite/Program.cs b/code/src/AttendeeSite/Program.cs new file mode 100644 index 0000000..3e6d3a3 --- /dev/null +++ b/code/src/AttendeeSite/Program.cs @@ -0,0 +1,26 @@ +using System; +using System.Collections.Generic; +using System.Linq; +using System.Threading.Tasks; +using Microsoft.AspNetCore.Hosting; +using Microsoft.Extensions.Configuration; +using Microsoft.Extensions.Hosting; +using Microsoft.Extensions.Logging; + +namespace AttendeeSite +{ + public class Program + { + public static void Main(string[] args) + { + CreateHostBuilder(args).Build().Run(); + } + + public static IHostBuilder CreateHostBuilder(string[] args) => + Host.CreateDefaultBuilder(args) + .ConfigureWebHostDefaults(webBuilder => + { + webBuilder.UseStartup(); + }); + } +} diff --git a/code/src/AttendeeSite/Properties/launchSettings.json b/code/src/AttendeeSite/Properties/launchSettings.json new file mode 100644 index 0000000..522f8d5 --- /dev/null +++ b/code/src/AttendeeSite/Properties/launchSettings.json @@ -0,0 +1,31 @@ +{ + "$schema": "http://json.schemastore.org/launchsettings.json", + "iisSettings": { + "windowsAuthentication": false, + "anonymousAuthentication": true, + "iisExpress": { + "applicationUrl": "http://localhost:25666", + "sslPort": 44370 + } + }, + "profiles": { + "IIS Express": { + "commandName": "IISExpress", + "launchBrowser": true, + "launchUrl": "swagger", + "environmentVariables": { + "ASPNETCORE_ENVIRONMENT": "Development" + } + }, + "AttendeeSite": { + "commandName": "Project", + "dotnetRunMessages": "true", + "launchBrowser": true, + "launchUrl": "swagger", + "applicationUrl": "https://localhost:5001;http://localhost:5000", + "environmentVariables": { + "ASPNETCORE_ENVIRONMENT": "Development" + } + } + } +} diff --git a/code/src/AttendeeSite/Startup.cs b/code/src/AttendeeSite/Startup.cs new file mode 100644 index 0000000..48ebf17 --- /dev/null +++ b/code/src/AttendeeSite/Startup.cs @@ -0,0 +1,59 @@ +using System; +using System.Collections.Generic; +using System.Linq; +using System.Threading.Tasks; +using Microsoft.AspNetCore.Builder; +using Microsoft.AspNetCore.Hosting; +using Microsoft.AspNetCore.HttpsPolicy; +using Microsoft.AspNetCore.Mvc; +using Microsoft.Extensions.Configuration; +using Microsoft.Extensions.DependencyInjection; +using Microsoft.Extensions.Hosting; +using Microsoft.Extensions.Logging; +using Microsoft.OpenApi.Models; + +namespace AttendeeSite +{ + public class Startup + { + public Startup(IConfiguration configuration) + { + Configuration = configuration; + } + + public IConfiguration Configuration { get; } + + // This method gets called by the runtime. Use this method to add services to the container. + public void ConfigureServices(IServiceCollection services) + { + + services.AddControllers(); + services.AddSwaggerGen(c => + { + c.SwaggerDoc("v1", new OpenApiInfo { Title = "AttendeeSite", Version = "v1" }); + }); + } + + // This method gets called by the runtime. Use this method to configure the HTTP request pipeline. + public void Configure(IApplicationBuilder app, IWebHostEnvironment env) + { + if (env.IsDevelopment()) + { + app.UseDeveloperExceptionPage(); + app.UseSwagger(); + app.UseSwaggerUI(c => c.SwaggerEndpoint("/swagger/v1/swagger.json", "AttendeeSite v1")); + } + + app.UseHttpsRedirection(); + + app.UseRouting(); + + app.UseAuthorization(); + + app.UseEndpoints(endpoints => + { + endpoints.MapControllers(); + }); + } + } +} diff --git a/code/src/AttendeeSite/WeatherForecast.cs b/code/src/AttendeeSite/WeatherForecast.cs new file mode 100644 index 0000000..1d58cf4 --- /dev/null +++ b/code/src/AttendeeSite/WeatherForecast.cs @@ -0,0 +1,15 @@ +using System; + +namespace AttendeeSite +{ + public class WeatherForecast + { + public DateTime Date { get; set; } + + public int TemperatureC { get; set; } + + public int TemperatureF => 32 + (int)(TemperatureC / 0.5556); + + public string Summary { get; set; } + } +} diff --git a/code/src/AttendeeSite/appsettings.Development.json b/code/src/AttendeeSite/appsettings.Development.json new file mode 100644 index 0000000..8983e0f --- /dev/null +++ b/code/src/AttendeeSite/appsettings.Development.json @@ -0,0 +1,9 @@ +{ + "Logging": { + "LogLevel": { + "Default": "Information", + "Microsoft": "Warning", + "Microsoft.Hosting.Lifetime": "Information" + } + } +} diff --git a/code/src/AttendeeSite/appsettings.json b/code/src/AttendeeSite/appsettings.json new file mode 100644 index 0000000..d9d9a9b --- /dev/null +++ b/code/src/AttendeeSite/appsettings.json @@ -0,0 +1,10 @@ +{ + "Logging": { + "LogLevel": { + "Default": "Information", + "Microsoft": "Warning", + "Microsoft.Hosting.Lifetime": "Information" + } + }, + "AllowedHosts": "*" +} diff --git a/code/src/AttendeeSite/package-lock.json b/code/src/AttendeeSite/package-lock.json new file mode 100644 index 0000000..47bb119 --- /dev/null +++ b/code/src/AttendeeSite/package-lock.json @@ -0,0 +1,30 @@ +{ + "name": "app", + "version": "0.1.0", + "lockfileVersion": 1, + "requires": true, + "dependencies": { + "axios": { + "version": "0.21.1", + "resolved": "https://registry.npmjs.org/axios/-/axios-0.21.1.tgz", + "integrity": "sha512-dKQiRHxGD9PPRIUNIWvZhPTPpl1rf/OxTYKsqKUDjBwYylTvV7SjSHJb9ratfyzM6wCdLCOYLzs73qpg5c4iGA==", + "requires": { + "follow-redirects": "^1.10.0", + "minimist": "^1.2.0" + } + }, + "json5": { + "version": "2.2.0", + "resolved": "https://registry.npmjs.org/json5/-/json5-2.2.0.tgz", + "integrity": "sha512-f+8cldu7X/y7RAJurMEJmdoKXGB/X550w2Nr3tTbezL6RwEE/iMcm+tZnXeoZtKuOq6ft8+CqzEkrIgx1fPoQA==", + "requires": { + "minimist": "^1.2.5" + } + }, + "minimist": { + "version": "1.2.5", + "resolved": "https://registry.npmjs.org/minimist/-/minimist-1.2.5.tgz", + "integrity": "sha512-FM9nNUYrRBAELZQT3xeZQ7fmMOBg6nWNmJKTcgsJeaLstP/UODVpGsr5OhXhhXg6f+qtJ8uiZ+PUxkDWcgIXLw==" + } + } +} diff --git a/code/src/AttendeeSite/package.json b/code/src/AttendeeSite/package.json new file mode 100644 index 0000000..3ff2188 --- /dev/null +++ b/code/src/AttendeeSite/package.json @@ -0,0 +1,24 @@ +{ + "name": "azure_provision", + "version": "1.0.0", + "description": "provision to azure cloud", + "main": "provisionComposer.js", + "license": "MIT", + "scripts": { + "start": "node provisionComposer.js" + }, + "dependencies": { + "@azure/arm-appinsights": "^2.1.0", + "@azure/arm-botservice": "^1.0.0", + "@azure/arm-resources": "^2.1.0", + "@azure/graph": "^5.0.1", + "@azure/ms-rest-nodeauth": "^3.0.3", + "@types/fs-extra": "^8.1.0", + "axios": "^0.21.1", + "chalk": "^4.0.0", + "fs-extra": "^8.1.0", + "minimist": "^1.2.5", + "ora": "^4.0.4", + "request-promise": "^4.2.5" + } +} diff --git a/code/test/AttendeeTest/AttendeeExists.cs b/code/test/AttendeeTest/AttendeeExists.cs new file mode 100644 index 0000000..70e3b6d --- /dev/null +++ b/code/test/AttendeeTest/AttendeeExists.cs @@ -0,0 +1,18 @@ +using System; +using Xunit; +using Xunit.Extensions; +using Attendees; + +namespace AttendeeTest +{ + public class AttendeeTest + { + [Fact] + public void AttendeeExistsReturnTrue() + { + Attendee attendee = new Attendee(); + bool doesExist = attendee.AddAttendee("doesnotexist"); + Assert.False(doesExist, "The attendee does not exist"); + } + } +} diff --git a/code/test/AttendeeTest/AttendeeTest.csproj b/code/test/AttendeeTest/AttendeeTest.csproj new file mode 100644 index 0000000..aa630e1 --- /dev/null +++ b/code/test/AttendeeTest/AttendeeTest.csproj @@ -0,0 +1,26 @@ + + + + net5.0 + + false + + + + + + + runtime; build; native; contentfiles; analyzers; buildtransitive + all + + + runtime; build; native; contentfiles; analyzers; buildtransitive + all + + + + + + + +