Test your memory.
All the images from https://octodex.github.com/.
This was originally a Pen created at CodePen.io. You can find this one at https://codepen.io/JasonEtco/pen/yobKqg.
Home Page: https://lab.github.com/githubtraining/security-strategy-essentials
License: MIT License
Test your memory.
All the images from https://octodex.github.com/.
This was originally a Pen created at CodePen.io. You can find this one at https://codepen.io/JasonEtco/pen/yobKqg.
Manually going through your dependencies for alerts and outdated versions is tedious work. Let's automate this process!
Meet Dependabot
Dependabot creates pull requests to keep your dependencies secure and up-to-date!
Dependabot is the actor for GitHub's automated security updates.
You can enable automated security updates for any repository that uses security alerts and the dependency graph. You can disable automated security updates for an individual repository or for all repositories owned by your user account or organization. GitHub will automatically enable automated security updates in every repository that uses security alerts and the dependency graph.
Here, we have a security alert on the debug dependency. Clicking on debug will show you the pull request created by Dependabot to update the dependency. We just updated to 2.6.9
but Dependabot noticed we are still outdated.
If you navigate to your pull requests, you'll notice Dependabot has done its job and is trying to bump, or update, the version of debug
. Feel free to approve and merge the pull request.
Just like most repositories have a README.md
file to provide instructions on how to contribute to the repository, a SECURITY.md
file highlights security related information and instructions on how to handle security related issues and best practices.
This gives collaborators the important security information they need, but it also documents a place where maintainers can think about how they should deal with security disclosures, updates, and general security practices within this repository.
Just like a README.md
file, it really depends on your repository and the requirements and workflows. Here are a few common topics that are documented in a security policy:
mohsinzafaruk1996-patch-1
In this course, you'll learn how to build and host a secure repository in GitHub. A secure repository is important for many reasons, including:
In this course you will learn how to:
.gitignore
fileFor this course, you'll need to be comfortable with the GitHub Flow. If you need a refresher on the GitHub flow, check out the the Introduction to GitHub course.
This project is centered around a memory game that will be deployed with GitHub Pages.
master
as a Source, and click Save.Turning on GitHub Pages creates a deployment of your repository. I may take up to a minute to respond as I await the deployment.
Sometimes I respond too fast for the page to update! If you perform an expected action and don't see a response from me, wait a few seconds. Then refresh the page for your next steps.
Security vulnerabilities can cause a range of problems for your project or the people who use it. A vulnerability could affect the confidentiality, integrity, or availability of a project. Sometimes vulnerabilities aren't in the code you write, but in the code your project depends on. Staying up-to-date with the most recent versions is the best line of defense, but has the potential to cause integration issues, so GitHub alerts you of the safest next-version of a dependency.
This repository has some existing dependencies which will need updating to stay secure.
This repository is a Node.js project utilizing NPM. Because of that, package.json
defines this repository's dependencies. For our time together, we'll be focusing on these JavaScript dependencies. Keep in mind that different programming languages may have different dependency manifests. You might work with a Gemfile
, Gemfile.lock
, *.gemspec
, requirements.txt
, pipfile.lock
, or other files.
How can we know these dependencies are secure? GitHub monitors a number of reputable data sources to track vulnerabilities across projects.
You may notice some alerts from GitHub about this repository. You may get an email, or see a yellow bar warning you about the package.json
file.
GitHub tracks vulnerabilities for a number of supported languages and their associated package managers, including RubyGems, NPM, Python PIP, Maven, and Nuget.
GitHub receives a notification of a newly-announced vulnerability. Next, we check for repositories that use the affected version of that dependency. We send security alerts to a set of people within those affected repositories. The owners are contacted by default and it's possible to configure specific teams or individuals to get these important notifications.
GitHub never publicly discloses identified vulnerabilities for any repository.
Use GitHub's security alerts to identify a vulnerable NPM dependency.
debug
, and click on the right hand side of the yellow debug
section.GitHub Enterprise Server only: This is all possible on GitHub Enterprise through GitHub Connect. It may take up to an hour to refresh the alerts and make them visible. After waiting a reasonable amount of time, if you are still not seeing the yellow bar in the Dependency Graph, you may want to contact your administrator. In the mean time, to move along with the course, we'll give you a hint - the recommended upgraded version is
2.6.9
.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.