🎉 Welcome to Securing your workflows!

In this course, you'll learn how to build and host a secure repository in GitHub. A secure repository is important for many reasons.

• Prevents exposing sensitive data
• Enforces secure development best practices
• Guards against unintended access rights permissions

In this course you will learn how to:

• Opt-in to vulnerability alerts for private repositories
  • Note: These security settings are default for public repositories that are not forks.
• Detect and fix vulnerable dependencies when notified by a vulnerability alert
• Follow security best practices to protect sensitive data by using a .gitignore file

New to GitHub?

For this course, you'll need to be comfortable with the GitHub Flow. If you need a refresher on the GitHub flow, check out the the Introduction to GitHub course.

Step 1: Your project on GitHub Pages

This project is centered around a memory game that will be deployed with GitHub Pages.

⌨️ Activity: Enable GitHub Pages

1. Click the Settings tab in your repository.
2. Scroll down to GitHub Pages and select main as a Source.

For a printable version of the steps in this course, check out the Quick Reference Guide.

Turning on GitHub Pages creates a deployment of your repository. I may take up to a minute to respond as I await the deployment.

Return to this issue for my next comment.

Sometimes I respond too fast for the page to update! If you perform an expected action and don't see a response from me, wait a few seconds. Then refresh the page for your next steps.

Finding vulnerable dependencies

Security vulnerabilities can cause a range of problems for your project or the people who use it. A vulnerability could affect the confidentiality, integrity, or availability of a project. Sometimes vulnerabilities aren't in the code you write, but in the code your project depends on. Staying up-to-date with the most recent versions is the best line of defense.

This repository has some existing dependencies which will need updating to stay secure.

How can we identify dependencies and if they are vulnerable?

This repository is a Node.js project utilizing NPM. Because of that, the package.json defines this repository's dependencies. For our time together, we'll be focusing on these JavaScript dependencies. Keep in mind that different programming languages may have different dependency files. You might work with a Gemfile, Gemfile.lock, *.gemspec, requirements.txt, pipfile.lock, or other files.

How can we know these dependencies are secure? It's not always easy, but GitHub is watching out.

GitHub's security alerts for vulnerable dependencies

You may notice some alerts from GitHub about this repository. You may get an email, or see a yellow bar warning you about the package.json file.

GitHub tracks public vulnerabilities in Ruby gems, NPM, Python, Java, and .Net packages.

GitHub receives a notification of a newly-announced vulnerability. Next, we check for repositories that use the affected version of that dependency. We send security alerts to a set of people within those affected repositories. The owners are contacted by default. But, it's possible to configure specific teams or individuals to get these important notifications.

GitHub never publicly discloses identified vulnerabilities for any repository.

Step 2: Find this repository's vulnerable dependencies

Use GitHub's security alerts to identify a vulnerable NPM dependency.

⌨️ Activity: Identify the suggested version update

1. Click the Insights tab in your repository.
2. On the left hand navigation bar, click Dependency graph.
3. Scroll down until you see a yellow bar highlighting the dependency named debug, and click on the right hand side of the yellow debug section.
4. Take note of the suggested version.
5. Comment in this issue with the suggested update version.

GitHub Enterprise Server only: This is all possible on GitHub Enterprise through GitHub Connect. It may take up to an hour to refresh the alerts and make them visible. After waiting a reasonable amount of time, if you are still not seeing the yellow bar in the Dependency Graph, you may want to contact your administrator. In the mean time, to move along with the course, we'll give you a hint - the recommended upgraded version is 2.6.9.

For a printable version of the steps in this course, check out the Quick Reference Guide.

Return to this issue for my next comment.