Initial commit

Author: Jeffrey-Luszcz

.github/steps/1-enable-secret-scanning.md

@@ -0,0 +1,68 @@
+## Step 1: Enable Secret Protection
+
+If you check your email, you probably just got an alert from GitHub with the subject "Possible valid secrets detected". Oh no! 😮
+
+Don't worry! We put some expired credentials in the exercise on purpose since public repositories get secret protection for free. Nice! 🕵️
+
+In this step, you will enable secret protection on your repository. After it is enabled, you will add a new credential to see how secret protection identifies the credential and alerts you.
+
+> [!WARNING]
+> If your repository is private, you will need [GitHub Advanced Security](https://docs.github.com/en/enterprise-cloud@latest/get-started/learning-about-github/about-github-advanced-security) to continue. We recommend [changing this exercise repository to public](https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/managing-repository-settings/setting-repository-visibility) to enable it.
+
+### What is a secret?
+
+In our context, a secret (or credential) is a plain-text string, or a pair of strings, that authorizes access to a service. Examples could be AWS secret access keys/ID's, Google API keys, or GitHub Personal Access Tokens (PATs).
+
+The GitHub Docs provides a list of [all supported patterns](https://docs.github.com/en/code-security/secret-scanning/secret-scanning-patterns#supported-secrets).
+
+### What is secret protection?
+
+Secret protection is a powerful tool which allows teams to identify these plain-text credentials, remove them, and create rules to prevent them from being written to GitHub in the first place.
+
+Secret protection is available **for free for public repositories** on all plans. Enterprises that need secret protection capabilities for private repositories should review [GitHub Advanced Security](https://github.com/security/advanced-security). Not only does it include secret protection, it also provides advanced static analysis, software composition analysis (SCA), and enterprise tools to manage your entire AppSec pipeline and reduce your risk profile.
+
+### :keyboard: Activity: Configure secret protection
+
+1. In the header of your repository, open **Settings** in a new browser tab.
+
+1. In the left navigation, under the **Security** section, select **Advanced Security**.
+
+1. Scroll down past the **Code Scanning** and **Dependabot** sections until you find the **Secret Protection** section.
+
+   > 💡 **Tip:** We also have exercises about [code scanning](https://github.com/skills/introduction-to-codeql) and [supply chain protection](https://github.com/skills/secure-repository-supply-chain)!
+
+1. Adjust the default configuration to match the below.
+
+   - **Secret Protection:** `enabled`
+   - **Push Protection:** `disabled`
+
+   <img width="400" alt="Secret protection configuration settings" src="https://github.com/user-attachments/assets/7b999e54-dbf4-400d-8730-17b96bc06de1" />
+
+### :keyboard: Activity: Commit a sensitive file
+
+Now let's (accidentally) commit a sensitive file to see how it works. Don't worry, these are inactive credentials.
+
+1. In the header of your repository, click the **Code** tab.
+
+1. Above the list of files, click the **Add file** dropdown and select **Create new file**.
+
+   <img width="350" alt="New file button" src="https://github.com/user-attachments/assets/8f3f8da8-1471-485a-9df5-8c03ecba2d8e"/>
+
+1. Enter the file name `credentials.yml` and copy following **inactive** example credentials into it.
+
+   <img width="400" alt="New file button" src="https://github.com/user-attachments/assets/40f5ce62-936c-4d71-8c51-02c724d5aac0"/>
+
+   ```yaml
+   default:
+     aws_access_key_id: AKIAQYLPMN5HNM4OZ56B
+     aws_secret_access_key: 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
+     mongodb: mongodb+srv://svc-admin:[email protected]
+     output: json
+     region: us-east-2
+   ```
+
+1. In the top right, use the **Commit changes...** button to commit directly to the `main` branch.
+
+   > ❗️ **Important:** Committing to your default branch is not usually a recommended practice. We only do this to simplify the exercise.
+
+1. With our credentials file (accidentally) shared, Mona should quickly notice it and prepare the next step.

.github/steps/2-review-alerts.md

@@ -0,0 +1,63 @@
+## Step 2: Review and close secret scanning alerts
+
+In the last step, you enabled secret protection and committed a sensitive file to the repository. Now, let's review our open secret scanning alerts and close one.
+
+### :keyboard: Activity: Triage secret scanning alerts
+
+1. In the header of your repository, click the **Security** tab.
+
+1. In the left navigation, select the **Secret scanning** option.
+
+1. Notice various options in the header bar that can help triage our alerts.
+
+   <img width="400" alt="list of filtered open alerts" src="https://github.com/user-attachments/assets/2926c12f-2d39-4ea1-a8dd-816442f332b4" />
+
+1. Click the **Provider** dropdown and select `Amazon AWS` to filter the view. Notice only 2 of the 3 entries are listed now.
+
+   <img width="400" alt="list of filtered open alerts" src="https://github.com/user-attachments/assets/8623dec7-5199-4c5b-8c5e-1b812106a510" />
+
+### :keyboard: Activity: Review a secret scanning alert
+
+1. In the list of open alerts, select the `Amazon AWS Access Key ID` alert. This will open a details page with more information.
+
+1. At the top of the page, we can quickly view the alert status, when it was opened, the exposed secret, and some remediation steps.
+
+   <img width="400" alt="image" src="https://github.com/user-attachments/assets/61700b67-234c-47ae-a4de-552be25cc2bf" />
+
+1. Scroll down slightly to the **Detected in X locations** area and you will see all the places where this secret was detected, including the `credentials.yml` file that you created. Notice that secret protection doesn't create duplicate alerts for the same secret found across multiple locations, for example in our learning issue.
+
+   <img width="400" alt="image" src="https://github.com/user-attachments/assets/0a40db10-0461-4732-8e5d-674082020c96" />
+
+### :keyboard: Activity: Close an alert
+
+When secret protection finds a secret in your repository, the first thing you should do is **disable that secret with the provider**. You should assume it has been exposed.
+
+> [!TIP]
+> Some [supported secrets](https://docs.github.com/en/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#default-patterns) are automatically sent to the provider when leaked.
+
+1. Assuming you have taken remediation steps, we can update the status of our alert. In the top right, select the **Close as** dropdown.
+
+   > 🚨 **Caution:** Do **NOT** close an open alert without performing remediation steps. This simply hides the problem and provides a false sense of security. It might even trigger additional alerts with your cybersecurity department. 🤦
+
+1. Choose the `Revoked` option and enter a useful description of your remediation steps in the comment box (example below). Then choose **Close alert**.
+
+   ```txt
+   The secret owner was contacted. They provided proof that the exposed secret was replaced.
+   ```
+
+   > 💡 **Tip:** This is important so the audit log can later provide critical information if an investigation is required.
+
+   <img width="250" alt="Screenshot of an alert being closed as revoked with a useful comment" src="https://github.com/user-attachments/assets/a65bf6be-2be3-4096-9afa-db7a3fb02ecd" />
+
+
+1. The alert status now displays `Closed` and the audit trail includes our explanation.
+
+   <img width="250" alt="image" src="https://github.com/user-attachments/assets/fdff5ad5-40ab-4f35-9f37-284dfe129ebd" />
+
+   <img width="450" alt="image" src="https://github.com/user-attachments/assets/29bde02e-88d8-4fe2-b39c-a85a7b705908" />
+
+1. With at least one of our alerts resolved, let's add a comment to inform Mona we are done with this step, so she can share the next one.
+
+   ```txt
+   Hello @professortocat, I've resolved the security alert. What's next?
+   ```

.github/steps/3-enable-push-protection.md

@@ -0,0 +1,63 @@
+## Step 3: Enable push protection
+
+In this section, you will configure your repository to prevent new secrets from being exposed.
+
+### What is push protection?
+
+When someone tries to send code changes to GitHub (a push), secret scanning checks for high-confidence secrets. Secret scanning lists any secrets it detects so the author can review the secrets and remove them or, if needed, allow those secrets to be pushed.
+
+### :keyboard: Activity: Configure push protection
+
+> [!IMPORTANT]
+> We disabled push protection in our first step for learning practice. It is normally enabled by default for all public repositories.
+
+1. In the header of your repository, click the **Settings** tab.
+1. In the left navigation, under the **Security** section, select **Advanced Security**.
+1. Scroll down past the **Code Scanning** and **Dependabot** sections until you find the **Secret Protection** section.
+1. Adjust the default configuration to match the below.
+
+   - **Secret Protection:** `enabled`
+   - **Push Protection:** `enabled`
+
+   <img width="400" alt="Secret protection configuration settings" src="https://github.com/user-attachments/assets/4ecbc9a5-f1b2-4b68-8a1e-667dee7a7661" />
+
+### :keyboard: Activity: Attempt to push a secret
+
+Now that secret push protection is enabled, let's give it a test!
+
+1. In the header of your repository, click the **Code** tab.
+
+1. In the list of files, click on the `credentials.yml` file to preview it.
+
+1. Above the content preview, click the **Edit** button.
+
+   <img width="200" alt="pencil-light" src="https://github.com/user-attachments/assets/3dfb1b2e-6fee-4b69-8b38-fc7bfedc8772"/>
+
+1. Copy the following inactive secret to the file, removing the `<REMOVE_ME>` text. It should look like the below screenshot.
+
+   ```txt
+     github-token: github_pat_<REMOVE_ME>11A4YXR6Y0v36CYFkuT5I1_ZRWX91c8k0waSN6x7AiVJ6zZ9ZHUQXBblBqFQpKd23V6CL7MWMPopnmBxzn
+   ```
+
+   ![Screenshot of credentials.yml being edited in the GitHub web interface. A newly added github-token is highlighted.](https://github.com/user-attachments/assets/d5e16dc7-ffa9-422a-bc37-89f5cbb26a2e)
+
+1. In the top right, use the **Commit changes...** button to **try to** commit directly to the `main` branch. Instead of committing the updated file, a push protection alert appeared. Nice! 🥰
+
+   <img width="400" alt="image" src="https://github.com/user-attachments/assets/19099848-4191-4fd7-b52b-be521d7f356c" />
+
+> [!IMPORTANT]
+> Secret Push Protection only scans while _**pushing**_ to GitHub. It cannot check your local commits. If you have a secret in a local commit and it is several commits deep, you will need to remove the secret from your branch's commit history. See [resolving a blocked push on the command line](https://docs.github.com/en/code-security/secret-scanning/pushing-a-branch-blocked-by-push-protection#resolving-a-blocked-push-on-the-command-line).
+
+### :keyboard: Activity: Bypass push protection
+
+In some cases, you may write code that looks similar to a secret and a commit is incorrectly blocked. For example writing tests for an authorization process. In those situations, you can choose to bypass push protection. Let's practice that.
+
+1. Select the radio button next to `It's used in tests`. Notice the description, matches our current learning use case.
+
+   <img width="400" alt="image" src="https://github.com/user-attachments/assets/04b51b50-c93b-4bce-ab2a-988ab42e8db2" />
+
+1. Click **Allow secret**. A notification banner reports that you can now try committing again.
+
+1. In the top right, use the **Commit changes...** button to commit directly to the `main` branch.
+
+1. With the file updated, Mona should be busy checking your work. After checking, she'll provide feedback and the final review. Nice work! You are all done! 🎉

.github/steps/x-review.md

@@ -0,0 +1,29 @@
+## Review 📖
+
+_Congratulations friend, you've completed this course!_
+
+Here's a recap of all the tasks you've accomplished in your repository:
+
+- Enabled secret scanning if your repository has private or internal visibility
+- Committed a secret to the repository
+- Reviewed secrets that have been identified by secret scanning
+- Closed a secret scanning alert
+- Enabled secret scanning push protection to prevent secrets from being written to the repository (required only for private or internal repositories)
+- Attempted to commit a secret, but had that commit stopped by push protection
+- Bypassed push protection
+
+It's important to note that secret scanning capabilities are available for free for all public repositories. Customers who want to enable secret scanning on private repos should find out more about [GitHub Advanced Security](https://docs.github.com/en/enterprise-cloud@latest/get-started/learning-about-github/about-github-advanced-security) or [Set up a trial of GitHub Advanced Security](https://docs.github.com/en/enterprise-cloud@latest/billing/managing-billing-for-github-advanced-security/setting-up-a-trial-of-github-advanced-security).
+
+In addition to the features you worked with here, GitHub Advanced Security also provides the following features:
+
+- Custom secret scanning patterns
+- Non-partner and generic patterns including passwords, RSA and SSH keys, and database connection strings
+- Code scanning with CodeQL
+- Security Overview
+- Supply chain security capabilities
+
+### What's next?
+
+- [Take another Skills Exercise](https://skills.github.com).
+- [Read the GitHub Getting Started docs](https://docs.github.com/en/get-started).
+- To find projects to contribute to, check out [GitHub Explore](https://github.com/explore).

.github/workflows/0-start-exercise.yml

@@ -0,0 +1,77 @@
+name: Step 0 # Start Exercise
+
+on:
+  push:
+    branches:
+      - main
+
+permissions:
+  contents: write
+  actions: write
+  issues: write
+
+env:
+  STEP_1_FILE: ".github/steps/1-enable-secret-scanning.md"
+
+jobs:
+  start_exercise:
+    if: |
+      !github.event.repository.is_template
+    name: Start Exercise
+    uses: skills/exercise-toolkit/.github/workflows/[email protected]
+    with:
+      exercise-title: "Introduction to Secret Scanning"
+      intro-message: "In this exercise, you'll learn how to identify and protect sensitive information in your repositories. 🔍 Let's work together to keep your code secure! 🛡️"
+
+  post_next_step_content:
+    name: Post next step content
+    runs-on: ubuntu-latest
+    needs: [start_exercise]
+    env:
+      ISSUE_URL: ${{ needs.start_exercise.outputs.issue-url }}
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Get response templates
+        uses: actions/checkout@v4
+        with:
+          repository: skills/exercise-toolkit
+          path: exercise-toolkit
+          ref: v0.6.0
+
+      - name: Configure Git user
+        run: |
+          git config user.name github-actions[bot]
+          git config user.email github-actions[bot]@users.noreply.github.com
+
+      - name: Build comment - add step content
+        id: build-comment
+        uses: skills/action-text-variables@v2
+        with:
+          template-file: ${{ env.STEP_1_FILE }}
+          template-vars: |
+            login: ${{ github.actor }}
+            full_repo_name: ${{ github.repository }}
+
+      - name: Create comment - add step content
+        run: |
+          gh issue comment "$ISSUE_URL" \
+            --body "$ISSUE_BODY"
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          ISSUE_BODY: ${{ steps.build-comment.outputs.updated-text }}
+
+      - name: Create comment - watching for progress
+        run: |
+          gh issue comment "$ISSUE_URL" \
+            --body-file "exercise-toolkit/markdown-templates/step-feedback/watching-for-progress.md"
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Enable next workflow
+        run: |
+          gh workflow enable "Step 1" || true
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}