Securing your repositories supply chain

Step 1: Review and add dependecies using Dependency graph

Welcome to "Securing your repositories supply chain"! 👋

What is Securing your repositories supply chain: GitHub helps you secure your supply chain, from understanding the dependencies in your environment, to knowing about vulnerabilities in those dependencies, and patching them.

• To read more about Secuirng your repositories supply chain: Secuirng your repositories supply chain

What is a Dependency Graph: The dependency graph is a summary of the manifest and lock files stored in a repository and any dependencies that are submitted for the repository using the Dependency submission API (beta). For each repository, it shows:

• Dependencies, the ecosystems and packages it depends on
• Dependents, the repositories and packages that depend on it
• To ready more about Dependency graph: Dependency graph

⌨️ Activity: Verify Dependency graph enabled

1. Open a new browser tab, and work on the steps in your second tab while you read the instructions in this tab.
2. Navigate to the Settings tab.
3. Click on Code security and analysis.
4. Verify/enable Dependency graph. If the repo is private you will enable it here. If the repo is public it will be enabled by default.
5. Move on to the next activity.

⌨️ Activity: View dependencies

1. Navigate to the Insights tab.
2. Click on Dependency graph.
3. Review all the dependecies on the Dependencies hub.
4. Learn how to explore dependencies: Explore dependecies
5. Move on to the next activity.

⌨️ Activity: Add and view dependency

1. Navigate to the Code tab.
2. Navigate to the code/src/AttendeeSite folder
3. Add the following content to the package-lock.json file after the third to last }

   ,
    "follow-redirects": {
      "version": "1.14.1",
      "resolved": "https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.14.1.tgz",
      "integrity": "sha512-HWqDgT7ZEkqRzBvc2s64vSZ/hfOceEol3ac/7tKwzuvEyWx3/4UegXh5oBOIotkGsObyk3xznnSRVADBgWSQVg=="
    }
   

4. Navigate to the Insights tab.
5. Click on Dependency graph.
6. Review all new dependecies on the Dependencies hub.
7. Search for follow-redirects and review the dependancy.
8. Wait about 20 seconds then refresh this page for the next step.

Step 2: Enable and view Dependabot alerts

Nice work! 🎉 You added and viewed a dependency with Dependency graph!

Next, we need to enable and view dependabot alerts.

What are Dependabot alerts: Dependabot alerts tell you that your code depends on a package that is insecure. Dependabot alerts references The GitHub Advisory Database that contains a list of known security vulnerabilities and malware, grouped in two categories: GitHub-reviewed advisories and unreviewed advisories.

• About Dependabot alerts: Dependabot alerts
• About GitHub Advisory Database: GitHub Advisory Database

⌨️ Activity: View security advisories in the GitHub Advisory Database

1. Open a new browser tab.
2. Navigate to the GitHub Advisory Database.
3. Type or paste follow-redirects into the search box.
4. Click on any of the advisories that were found.
5. Note the packages, impact, patches, workaround and referennces for the advisory.
6. Move on to the next activity.

⌨️ Activity: Enable Dependabot alerts

1. Open a new browser tab, and work on the steps in your second tab while you read the instructions in this tab.
2. Navigate to the Settings tab.
3. Click on Code security and analysis.
4. Click Enable Dependabot alerts.
5. Wait about 60 seconds then click on the Security tab at the top of the repository.
6. Verify there are 4 Dependabot alerts under the Vulnerability alerts section.
7. Revew each alert.
8. Move on to the next activity.

⌨️ Activity: Create a Pull Request based on a Dependabot alert

1. Click on Prototype Pollution in minimist alert under the Dependabot alerts section.
2. View the alert.
3. Click Create Dependabot security update button. The will create a pull request for the fix.
4. Wait until the pull request is created. This could take ~2 minutes.
5. Click on Review security update button. The pull request will be displayed.
6. View the pull request. View the Files changed tab to review the update.
7. Navigate back to the Conversation tab.
8. Click on Merge pull request button.
9. Click confirm merge button.
10. Wait about 20 seconds then refresh this page for the next step.

Step 3: Enable and trigger Dependabot security updates

Nice work enabling, viewing and creating Dependabot alerts ✨

What is Dependabot security updates: Dependabot can fix vulnerable dependencies for you by raising pull requests with security updates.

• To learn more about Dependabot security updates: Dependabot security updates

⌨️ Activity: Enable and trigger Dependabot security updates

1. Open a new browser tab, and work on the steps in your second tab while you read the instructions in this tab.
2. Navigate to the Settings tab.
3. Click on Code security and analysis.
4. Click Enable on Dependabot security updates.
5. Wait until a pull request shows up under the Pull requests repository tab. Shoud be about 60 seconds then click on the Pull requests tab at the top of the repository.
6. Verify there is a new pull request titled Bump axios from 0.21.1 to 0.21.2 in /code/src/AttendeeSite.
7. View the pull request.
8. Click on Merge pull request button.
9. Click confirm merge button.
10. Wait about 20 seconds then refresh this page for the next step.

Step 4: Enable and trigger Dependabot version updates

Nicely done Enable and trigger Dependabot security updates! 🥳

What is enable and trigger Dependabot version updates: You can use Dependabot to keep the packages you use updated to the latest versions.

• To learn more about Dependabot version updates: Dependabot version updates

⌨️ Activity: Enable and trigger Dependabot version updates

1. Open a new browser tab, and work on the steps in your second tab while you read the instructions in this tab.
2. Navigate to the Settings tab.
3. Click on Code security and analysis.
4. Click Enable on Dependabot version updates.
5. A new file editor opens with pre polulated contents. The file is called dependabot.yml.
6. Add nuget to the package-ecosystem.
7. Change the directory to /code/.
8. The dependabot.yml file should look like this:
9. Click Commit changes directly to the main branch.
10. Wait about 20 seconds then refresh this page for the next step.

Finish

Congratulations friend, you've completed this course!

Here's a recap of all the tasks you've accomplished in your repository:

• You've leearned how to view and use Dependency graph.
• You've learned how to enable and use Dependabot alerts.
• You've learned how to ennable and use Dependabot secuirty updates.
• You've learned how to ennable and use Dependabot version updates.

What's next?

• Learn more about securing your supply chain by reading: Securing your supply chain.
• We'd love to hear what you thought of this course.
• [Take another TBD-organization Course](https://github.com/TBD-organization](https://github.com/skills).
• Read the GitHub Getting Started docs.
• To find projects to contribute to, check out GitHub Explore.

---

Get help: TBD-support • Review the GitHub status page

© 2022 TBD-copyright-holder • Code of Conduct • CC-BY-4.0 License