diff --git a/github/configure-dependabot-security-updates-on-github-repo/1-introduction.yml b/github/configure-dependabot-security-updates-on-github-repo/1-introduction.yml index 4de7ace8..2b55f076 100644 --- a/github/configure-dependabot-security-updates-on-github-repo/1-introduction.yml +++ b/github/configure-dependabot-security-updates-on-github-repo/1-introduction.yml @@ -5,11 +5,11 @@ metadata: unitType: introduction title: Introduction description: GitHub dependency management tools help you handle the security risks and maintenance requirements of incorporating third-party software into your project. - ms.date: 1/5/2022 + ms.date: 08/28/2022 author: sterling463 ms.author: csterling ms.topic: interactive-tutorial ms.prod: learning-azure durationInMinutes: 1 content: | - [!include[](includes/1-introduction.md)] \ No newline at end of file + [!include[](includes/1-introduction.md)] diff --git a/github/configure-dependabot-security-updates-on-github-repo/includes/1-introduction.md b/github/configure-dependabot-security-updates-on-github-repo/includes/1-introduction.md index 6557b630..55f3d446 100644 --- a/github/configure-dependabot-security-updates-on-github-repo/includes/1-introduction.md +++ b/github/configure-dependabot-security-updates-on-github-repo/includes/1-introduction.md @@ -8,13 +8,11 @@ Luckily, GitHub provides you with dependency management tools that help to manag By the end of this module, you'll be able to: -- Describe the available tools for managing vulnerable dependencies on GitHub. -- Enable and configure Dependabot alerts. -- Identify the permissions and roles required to view and enable Dependabot alerts. +- Understand the basics of the dependency graph, the GitHub Advisory Database, and Dependabot. +- How to enable, view, grant, and resolve Dependabot alerts. - Enable and configure Dependabot security updates. -- Identify, review, and address vulnerable dependencies. -- Explain how to use GraphQL API to retrieve vulnerability information. -- Explain how to configure notifications for vulnerable dependencies. +- Manage Dependabot notifications and reports. + ## Prerequisites diff --git a/github/configure-dependabot-security-updates-on-github-repo/includes/2-manage-your-dependencies-github.md b/github/configure-dependabot-security-updates-on-github-repo/includes/2-manage-your-dependencies-github.md index 3831ca3a..14a0345b 100644 --- a/github/configure-dependabot-security-updates-on-github-repo/includes/2-manage-your-dependencies-github.md +++ b/github/configure-dependabot-security-updates-on-github-repo/includes/2-manage-your-dependencies-github.md @@ -1,10 +1,13 @@ -It's common for software projects to depend on external packages or dependencies. Managing these external dependencies can consume resources and affect productivity. These dependencies can also include vulnerabilities that introduce security threats. A vulnerability is a flaw in a project’s code that can be exploited to damage the confidentiality, integrity, or availability of the project or other projects that use its code. You may not even notice vulnerabilities right away because they exist outside of the code that you work on. +Dependabot is a GitHub tool that automates managing your repository’s dependencies. For Dependabot to work, the dependency graph must be enabled in a repository. Dependabot uses the dependency graph and the GitHub Advisory Database to provide three features: + +- **Dependabot alerts**: Notify you about vulnerable dependencies in public repositories. +- **Security updates**: Automatically update or generate a pull request to update vulnerable dependencies. +- **Version updates**: Automatically update all the packages used by your repository. -In this unit, you'll learn about the GitHub tools for managing your dependencies: +In this unit you will learn about the dependency graph and the GitHub Advisory Database and how to manage your dependencies before we dive into Dependabot. + +It's common for software projects to depend on external packages or dependencies. Managing these external dependencies can consume resources and affect productivity. These dependencies can also include vulnerabilities that introduce security threats. A vulnerability is a flaw in a project’s code that can be exploited to damage the confidentiality, integrity, or availability of the project or other projects that use its code. You may not even notice vulnerabilities right away because they exist outside of the code that you work on. -- The dependency graph -- The GitHub Advisory Database -- Dependabot ## The dependency graph @@ -86,13 +89,3 @@ GitHub collects information on vulnerabilities and includes it in the GitHub Adv - A combination of machine learning and human reviews to detect vulnerabilities in public commits on GitHub. - Security advisories reported on GitHub. - The npm Security advisories database. - -## Dependabot - -Dependabot is a GitHub tool that automates managing your repository’s dependencies. For Dependabot to work, the dependency graph must be enabled in a repository. Dependabot uses the dependency graph and the GitHub Advisory Database to provide three features: - -- **Dependabot alerts**: Notify you about vulnerable dependencies in public repositories. -- **Security updates**: Automatically update or generate a pull request to update vulnerable dependencies. -- **Version updates**: Automatically update all the packages used by your repository. - -In the remaining units, you'll learn more about using Dependabot in your repository. diff --git a/github/configure-dependabot-security-updates-on-github-repo/includes/6-exercise.md b/github/configure-dependabot-security-updates-on-github-repo/includes/6-exercise.md index aef67e6a..b934d312 100644 --- a/github/configure-dependabot-security-updates-on-github-repo/includes/6-exercise.md +++ b/github/configure-dependabot-security-updates-on-github-repo/includes/6-exercise.md @@ -1,25 +1,20 @@ -This exercise checks your knowledge on using GitHub to manage your dependencies. -​ -This GitHub exercise is graded automatically once you've attempted a solution to the challenge. The results of your actions and helpful feedback are provided in real time within the `grade-learner` workflow logs. -​ -Here are some helpful tips before you begin the exercise: +This exercise will help walk you through how to view repository dependencies, view Dependabot alerts, and enable Dependabot security and version updates. You will also build dependencies, Dependabot alerts, pull requests to fix dependencies and version updates. -- Read the **About this exercise** section in the exercise's repository README to understand how the exercise works. -- Follow the steps provided in the **Instructions** section to successfully complete the exercise. -- To see the results of your exercise, go to the **Actions** tab of your cloned repository and select the most recent run on the **Grading** workflow. -- Stuck on what to do? Revisit the content in the last unit or check out the **Useful resources** section in the exercise's repository README for more resources. +## Getting started -> [!NOTE] -> A grading script exists under `.github/workflows/grading.yml`. You do not need to modify this workflow to complete this exercise. **Altering the contents in this workflow can break the exercise's ability to validate your actions, provide feedback, or grade the results**. +When you click the _Start the exercise on GitHub_ button below, you'll be navigated to a public GitHub template repository that will prompt you to complete a series of small challenges. Before you can begin the exercise, complete the below tasks: -This exercise is a challenge based on content covered in this module. It may take several attempts to complete the exercise, you can revisit previous content in this module, or go to some of the additional resources provided as many times as you want to find the solution. +- Select the _Start course_ button or the _Use this template_ feature within the template repository. This will prompt you to create a new repository. We recommend creating a public repository, as private repositories will use Actions minutes. +After you make your own repository from the template, wait about 20 seconds and refresh. + +- Follow the instructions in the repository's README to understand how the exercise works, its learning objectives, and how to successfully complete the exercise. When you've finished the exercise in GitHub, return here for: -​ + > [!div class="checklist"] -> - A quick knowledge check. -> - A summary of what you've learned. -> - A badge for completing this module. -​ +> * A quick knowledge check +> * A summary of what you've learned +> * To earn a badge for completing this module + > [!div class="nextstepaction"] -> [Start the exercise on GitHub](https://github.com/githubtraining/exercise-configure-dependabot) +> [Start the exercise on GitHub] diff --git a/github/configure-dependabot-security-updates-on-github-repo/index.yml b/github/configure-dependabot-security-updates-on-github-repo/index.yml index 380e3927..3cabbf7b 100644 --- a/github/configure-dependabot-security-updates-on-github-repo/index.yml +++ b/github/configure-dependabot-security-updates-on-github-repo/index.yml @@ -13,13 +13,9 @@ title: Configure Dependabot security updates on your GitHub repo summary: Manage your dependencies with GitHub Dependabot abstract: | By the end of this module, you'll be able to: - - Describe the available tools for managing vulnerable dependencies on GitHub. - - Enable and configure Dependabot alerts. - - Identify the permissions and roles required to view and enable Dependabot alerts. - - Enable and configure Dependabot security updates. - - Identify, review, and address vulnerable dependencies. - - Explain how to use GraphQL API to retrieve vulnerability information. - - Explain how to configure notifications for vulnerable dependencies. + - Understand the basics of the dependency graph, the GitHub Advisory Database, and Dependabot. + - How to enable,view, grant, and resolve Dependabot alerts. + - Manage Dependabot notifications and reports. prerequisites: | - A GitHub account. - Administrative access to a repository.