Skip to content

Latest commit

 

History

History
96 lines (68 loc) · 3.86 KB

lab4.md

File metadata and controls

96 lines (68 loc) · 3.86 KB

Lab 4 - Hands-on with Dependency Review

With Dependency Review enabled and configured, we want to block vulnerable packages from entering the codebase. We can define a repository ruleset to enforce this as well!

This lab covers parts of the following exam domains:

  • Domain 3: Configure and use dependency management
  • Domain 6: Describe GitHub Advanced Security best practices

Exercise 1: Add the Dependency Review Action

First, let's add the dependency review action workflow.

  1. In the repository, click on the Actions tab.
  2. Click on the New workflow button in the upper left.
  3. Search for "dependency" and click enter on your keyboard.
  4. Under the Dependency Review workflow, click Configure.
  1. Review the action and its defaults on line 32-39. This action can also block specific open source license types.
  2. In the upper right, click on Commit changes...
  3. Since we have a ruleset, we have to create a branch and merge this to main via pull request. Create a branch and commit (Propose changes) the changes.
  1. On the next screen, use the Copilot icon in the formatting bar to generate a pull request description.
  1. Click Create pull request.
  2. Wait for the code scanning job to finish. It will take a few minutes to run.
    • You will notice that the Dependency Review workflow ran against this PR and didn't report any issues.
  1. Merge the PR once the code scanning completes.
  2. Navigate to Settings of the repo.
  3. Navigate to Rules --> Rulesets.
  4. Click on the name of the ruleset you created in lab 3 to modify it.
  5. Under the Require status checks to pass, click on the Show additional settings button.
  6. Click on Add checks.
  7. Search for dependency-review and add it (it should show up under suggestions).
  1. Save the changes to the ruleset.

Exercise 2: Introduce a dependency vulnerability

Now, let's attempt to add a vulnerable dependency to the codebase and test out the dependency review feature.

  1. Navigate back to the Code tab in the repo.
  2. Click the package.json file in the root of the repository to open it.
  3. Click the pencil ✏️ icon at the top right of the file to go into edit mode.
  4. Go to the end of line 181 and hit Enter to create a blank line for line 182.
  5. Add the following code to line 182, making sure to include the comma at the end of the line:
"tar": "2.2.2",
  1. Click the Commit changes button.
  2. Change the branch name to lab4/dependency-vulnerability and click Propose changes to start a pull request.
  3. Use the Copilot button in the formatting bar to generate a PR summary for you.
  4. Click the Create pull request button.
  5. Wait for the dependency review job to finish.
  6. It should make a comment to the pull request with a note that it found a vulnerable package dependency. In fact, adding this one package would introduce 3 new vulnerabilities to our codebase.
  1. Also, the status check will be marked as failed, preventing the pull request from being merged.

Summary

Celebrate 🎉! We just prevented a security vulnerability from entering our codebase! Without dependency review, if a pull request from this branch was opened to main, nothing would prevent the vulnerability from being introduced.

In the next lab, we are going to go hands-on with secret scanning, and see how we can use push protection to stop secrets from being pushed to GitHub.

➡️ Head back to the labs page to continue on to the next lab.