manuals

Author: narasimhakudva

labs/Git-setup.md labs/1.Git-setup.mdlabs/Git-setup.md renamed to labs/1.Git-setup.md

@@ -0,0 +1,51 @@
+# 2 Create a Project and a Sprint!
+
+In this hands-on lab you will use GitHub's new Project experience to create a project to track issues and set up an agile style iterative process using sprints. Good luck! 👍
+
+This hands on lab consists of the following steps:
+- [Create Issues in the repository](#create-issues-in-the-repository)
+- [Create a new Project](#create-a-new-project)
+- [Setup and view your sprint](#setup-and-view-your-sprint)
+
+## Create Issues in the repository
+1. Work inside your current repository `Microsoft-Bootcamp/attendee-<your-github-handle>`.
+2. Click `Issues`.
+3. Click `New issue` on the right hand side of the page.
+4. Enter a `Title`. Suggestion: `Create a login page`.
+5. Enter a comment in `Leave a comment`. Suggestion:
+```
+# My first Issue! 
+- [ ] Create a login page for the website
+
+```
+6. Create 3 more issues. Get creative and make them your own.
+
+## Create a new Project
+1. Work inside your current repository `Microsoft-Bootcamp/attendee-<your-github-handle>`.
+2. Click `Projects`.
+3. Click the down arrow next to `Link a project`.
+4. Select `New project`.
+5. Click `New project`.
+6. The `Select a template` dialog appears. 
+7. Under `Project name` type your GitHub handle and then `my first project`. The title will look like `@<your-handle> my first project`.
+8. Verify `Table` is selected and click `Create`.
+9. Click `Add item from repository`.
+10. Select your repository from the drop-down list.
+11. Select the four issues your just created.
+12. Click `Add selected items`.
+
+## Setup and view your sprint
+1. Click `New view, layout `Table`. This will be visible inside the project just created.
+2. Name the view `Sprint view`.
+3. Add a new field. Click the `+` sign next to the `Status` column.
+4. Click `New field` in the dialog box.
+5. Name the field `Sprint`.
+6. In the `Field type` select `Iteration`. Accept the defaults. You might have to rename the field to `Sprint` again.
+7. Click `Save and create`.
+8. Assign the first two Issues to `Sprint 1`.
+9. The third issue to `Sprint 2`.
+10. The fourth issue to `Sprint 3`.
+11. Under the `Sprint view` dropdown select `Group` then `Sprint`. The project should group by sprint.
+12. Save the changes to `Sprint view`.
+
+

labs/2-projects.md

@@ -0,0 +1,64 @@
+# 7 Enabling and using Dependabot on your repository
+The hands-on lab has the goal to learn you how to enable the Dependency and Dependabot features and gain hands-on experience with Dependatbot's ability to update your dependencies automatically.
+
+This hands on lab consists of the following steps:
+- [Enabling the Dependency features](#enabling-the-dependency-features)
+- [Dependabot alerts](#dependabot-alerts)
+- [If time permits: Always assign Dependabot alerts to a person for review](#if-time-permits-always-assign-dependabot-alerts-to-a-person-for-review)
+
+## Enabling the Dependency features
+Let's start with enabling the following features on your repository. When you navigate to the `Settings` tab on your repository, under the `Configure security and analysis features` you will find the following features. Go ahead and click `Enable` for each of these features:
+* Dependency graph
+* Dependabot alerts
+* Dependabot security updates
+
+![Dependabot - Enabling settings](../images/dependabotsettings.PNG)
+
+Now that you have enabled the Dependabot features, let's have some hands-on experience with this functionality.
+
+## Dependabot alerts
+Dependabot alerts track security vulnerabilities that apply to your repository’s dependencies. When you navigate to the `Security` tab on your repository, and click `Dependabot alerts`, you can see the active alerts generated by Dependabot.
+
+![Dependabot - Alerts](../images/dependabotalerts.PNG)
+
+When you click on an alert, you can see the details on that alert. Let's have a look at an example alert. Dependabot will show you details on the vulnerability and a suggested remediation. Review the details of the vulnerability and, if available, the pull request containing the automated security update. Optionally, if there isn't already a Dependabot security updates update for the alert, to create a pull request to resolve the vulnerability, click `Create Dependabot security update`.
+
+![Dependabot - Alert details](../images/dependabotalertdetails.PNG)
+
+A pull request with regards to a security update will always be generated by the Dependabot bot user. Navigate to the pull request that was generated by the Dependabot bot user. Here's an example:
+
+![Dependabot - Generated pull request](../images/dependabotpullrequest.PNG)
+
+When you're ready to update your dependency and resolve the vulnerability, merge the pull request. 
+
+## If time permits: Always assign Dependabot alerts to a person for review
+By default, Dependabot raises pull requests without any reviewers or assignees. In this part of the hands-on lab, let's make use of the ability to configure Dependabot to always assign Dependabot alerts to a person. You can perform this kind of configuration using the `dependabot.yml` file. You must store this file in the `.github` directory of your repository. When you add or update the `dependabot.yml` file, this triggers an immediate check for version updates.
+
+You can use reviewers and assignees to specify reviewers and assignees for all pull requests raised. You can also specify a team but when you specify a team, you must use the full team name, as if you were @mentioning the team (including the organization). 
+
+The example `dependabot.yml` file below changes the npm configuration so that all pull requests opened with version and security updates for npm will have two reviewers and one assignee.
+
+```
+# dependabot.yml file with
+# reviews and an assignee for all npm pull requests
+
+version: 2
+updates:
+  # Keep npm dependencies up to date
+  - package-ecosystem: "nuget"
+    directory: "/code/"
+    schedule:
+      interval: "daily"
+    # Raise all npm pull requests with reviewers
+    # Enter your GitHub username
+    reviewers:
+      - "user-name"
+    # Raise all npm pull requests with an assignee
+     # Enter your GitHub username
+    assignees:
+      - "user-name"
+```
+
+Now, go ahead and try to always assign Dependabot alerts to yourself using configuration via the `dependabot.yml` file.
+
+For more information, please refer to: [https://docs.github.com/en/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/customizing-dependency-updates](https://docs.github.com/en/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/customizing-dependency-updates)

labs/issues and pull requests.md labs/2.1issues and pull requests.mdlabs/issues and pull requests.md renamed to labs/2.1issues and pull requests.md

@@ -0,0 +1,82 @@
+# 8 Setting up Secret Scanning for your repository
+In this lab you will:
+ - Learn how to enable secret scanning
+ - Experience how secret scanning scans your repository for known types of secrets
+ - Learn the capabilities of secret scanning that help to prevent fraudulent use 
+ 
+ Good luck! 👍
+
+This hands on lab consists of the following steps:
+- [Secret Scanning: What is it?](#secret-scanning-what-is-it)
+- [Enabling Secret Scaning functionality](#enabling-secret-scanning-functionality)
+- [Triggering Push Protection by trying to add a GitHub Token as a connection string](#triggering-push-protection-by-trying-to-add-a-github-token-as-a-connection-string)
+- [Triggering Secret Scanning by inserting an unwanted exposed email address](#triggering-secret-scanning-by-inserting-an-unwanted-exposed-email-address)
+
+## Enabling GitHub Advanced Security on your repository
+Should GitHub Advanced Security not be enabled yet on your repository, you can enable it from the `Settings` menu on your repository, then under `Security & Analysis`, in the section `GitHub Advanced Security`, click `Enable`. Advanced Security should be enabled in order to enable Code Scanning and Secret Scanning.
+
+## Secret Scanning: What is it?
+If your project communicates with an external service, you might use a token or private key for authentication. Tokens and private keys are examples of secrets that a service provider can issue. If you check a secret into a repository, anyone who has read access to the repository can use the secret to access the external service with your privileges. We recommend that you store secrets in a dedicated, secure location outside of the repository for your project.
+
+Secret scanning will scan your entire Git history on all branches present in your GitHub repository for any secrets. Service providers can partner with GitHub to provide their secret formats for scanning. For more information, see "Secret scanning partner program."
+
+If someone checks a secret with a known pattern into a public or private repository on GitHub, secret scanning catches the secret as it's checked in, and helps you mitigate the impact of the leak. Repository administrators are notified about any that contains a secret, and they can quickly view all detected secrets in the Security tab for the repository.
+
+For GitHub Secret SCanning documentation, please refer to: [https://docs.github.com/en/code-security/secret-scanning/about-secret-scanning](https://docs.github.com/en/code-security/secret-scanning/about-secret-scanning)
+
+### Enabling Secret Scanning functionality
+Depending on your GitHub settings Secret Scanning may already be enabled. To turn GitHub Secret Scanning, please navigate to the `Settings` of your repository, click `Security & analysis` click `Enable` for the `Secret Scanning` feature.
+
+![Secret Scanning - Enable](../images/secretscanningenable.PNG)
+
+Secret Scanning and Push Protection is now enabled for your repository. 
+
+### Triggering Push Protection by trying to add a GitHub Token as a connection string.
+You can trigger the Secret Scanning Push Protection functionality by inserting a secret in your repository yourself. To do so, try if you can manage to execute the following steps:
+* Locate the GitHub PAT you created during the Codespace exercise OR create a new PAT
+* Go back to your code
+* Open the file `/code/src/AttendeeSite/appsettings.json`, 
+* At the end of the file, append the file with a `ConnectionString` element and paste the copied GitHub PAT. 
+* The file should look like this:
+```
+{
+  "Logging": {
+    "LogLevel": {
+      "Default": "Information",
+      "Microsoft": "Warning",
+      "Microsoft.Hosting.Lifetime": "Information"
+    }
+  },
+  "AllowedHosts": "*",
+  "ConnectionString": "PASTE GITHUB PAT"
+}
+```
+* Try and commit your changes and see whether you will be able to. Push protection should stop the commit before it happens.
+
+### Triggering Secret Scanning by inserting an unwanted exposed email address
+* Go back to your code view of the repository
+* Open the file `/code/readme.md` (create if if does not exist) 
+* Add some text to the file:
+```
+# Technical Support
+For Technical Support please contact: [email protected]
+```
+* Commit your changes to main.
+* Go to `Settings`
+* Go to `Code security & analysis`
+* Under `Secret Scanning` and `Custom patterns` click `New pattern`
+* Name the pattern `Custom Email Check`
+* Under `Secret format` add `\b[a-zA-Z0-9._%+-]+@domain\.onmicrosoft\.com\b`
+* Add `[email protected]` to the `Test pattern` box and see it's not a match
+* Add `[email protected]` to the `Test pattern` box and see it's a match
+* Click `Security & Analysis` at the top
+* Click `edit` for the new custom pattern
+* Scroll down and click `Publish pattern`
+* Click on the `Security` tab and view the Secret alert.
+
+### Fix the Security Alert
+* Go back to your landing page of your repositry
+* Select the `Security` tab at the top
+* Click on your Secret alert
+* View the alert
+* Select `False Positive` to turn alert off.

labs/GitHub-Actions-Training-Manual.md labs/3.1GitHub-Actions-Training-Manual.mdlabs/GitHub-Actions-Training-Manual.md renamed to labs/3.1GitHub-Actions-Training-Manual.md

@@ -0,0 +1,72 @@
+# 9 Setting up Code Scanning for your repository
+In this lab you will:
+ - Learn how to set up code scanning for repositories
+ - Experience how code scanning enables you to find security vulnerabilities
+ 
+ Good luck! 👍
+
+This hands on lab consists of the following steps:
+- [Enabling GitHub Advanced Security on your repository](#enabling-github-advanced-security-on-your-repository)
+- [Code Scanning: What is it?](#code-scanning-what-is-it)
+- [Enabling the Code Scanning functionality](#enabling-the-code-scanning-functionality)
+- [Analyzing Code Scanning outcomes](#analyzing-code-scanning-outcomes)
+
+## Enabling GitHub Advanced Security on your repository
+Should GitHub Advanced Security not be enabled yet on your repository, you can enable it from the `Settings` menu on your repository, then under `Security & Analysis`, in the section `GitHub Advanced Security`, click `Enable`. Advanced Security should be enabled in order to enable Code Scanning and Secret Scanning.
+
+![Advanced Security - Enable](../images/advancedsecurityenable.PNG)
+
+## Code Scanning: What is it?
+Code scanning is a feature that you use to analyze the code in a GitHub repository to find security vulnerabilities and coding errors. Any problems identified by the analysis are shown in GitHub.
+
+You can use code scanning to find, triage, and prioritize fixes for existing problems in your code. Code scanning also prevents developers from introducing new problems. You can schedule scans for specific days and times, or trigger scans when a specific event occurs in the repository, such as a push. If code scanning finds a potential vulnerability or error in your code, GitHub displays an alert in the repository. After you fix the code that triggered the alert, GitHub closes the alert. For more information, see [Managing code scanning alerts for your repository](https://docs.github.com/en/code-security/secure-coding/managing-code-scanning-alerts-for-your-repository]).
+
+For GitHub Code Scanning documentation, please refer to: [https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/about-code-scanning](https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/about-code-scanning)
+
+### Enabling the Code Scanning functionality
+To enable GitHub Code Scanning, please navigate to the `Settings` of your repository, click `Security & analysis` click the `Set up` drop down for the `Code Scanning` feature and choose "Advanced".
+
+![Code Scanning - Set up](../images/codescanningsetup.PNG)
+
+You'll be directed to the insert a new file that runs code scanning by using the *CodeQL Analysis* product maintained by GitHub.
+
+![Code Scanning - Get started](../images/getstartedwithcodescanning.PNG)
+
+After this step, a `codeql.yml` file is generated for you. For most projects, this workflow file will not need changes; you can simply commit it to your repository. 
+
+![Code Scanning - Commit](../images/codescanningcommit.PNG)
+
+Once your changes are committed, you will see the `codeql.yml` file in the (new) directory `./github/workflows`.
+
+![Code Scanning - CodeQL Analysis Workflow](../images/codeqlanalysisyml.PNG)
+
+When you click the file `codeql.yml`, you get to see the option `View runs`. 
+
+![Code Scanning - CodeQL view runs](../images/codeqlviewruns.PNG)
+
+From here, you can see the list of workflows with the CodeQL workflow and the run history of the CodeQL workflow. In the default CodeQL analysis workflow, code scanning is configured to analyze your code each time you either push a change to the default branch or any protected branches, or raise a pull request against the default branch. As a result, code scanning will now commence. As you can see on the below screenshot, the workflow is currently running.
+
+![Code Scanning - CodeQL run history](../images/codeqlrunhistory.PNG)
+
+Reviewing any failed analysis job
+
+After some minutes, generally around 7 to 8 minutes, the workflow run will be completed and you will see the status being updated.
+
+![Code Scanning - CodeQL views runs (completed)](../images/codeqlviewruns_completed.PNG)
+
+Clicking through on the workflow run, by clicking on `Create codeql.yml`, you can see the details of the workflow run. 
+
+![Code Scanning - CodeQL workflow completed](../images/codeqlworkflow_completed.PNG)
+
+Great, now that your CodeQL workflow is completed, we can move on and discover the way your Code Scanning outcomes can be analyzed. 
+
+### Analyzing Code Scanning outcomes
+When you navigate to the `Security` tab on your repository, and click `Code Scanning alerts`, you can see the active alerts for Code Scanning. From this view, you can view, fix, dismiss, or delete alerts for potential vulnerabilities or errors in your project's code.
+
+![Code Scanning - Security Tab](../images/codescanning_securitytab.PNG)
+
+Each alert highlights a problem with the code and the name of the tool that identified it. You can see the line of code that triggered the alert, as well as properties of the alert, such as the severity, security severity, and the nature of the problem. Alerts also tell you when the issue was first introduced. For alerts identified by CodeQL analysis, you will also see information on how to fix the problem.
+
+![Code Scanning - Alerts details](../images/codescanningalertdetails.PNG)
+
+For more detailed information on managing the Code Scanning alerts, refer to: [https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/managing-code-scanning-alerts-for-your-repository](https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/managing-code-scanning-alerts-for-your-repository)