This repository is designed for hands-on exercises to help you secure open-source projects on GitHub. You'll learn how to:
- Find and fix vulnerabilities using CodeQL and Copilot Autofix
- Detect and remove hardcoded secrets using GitHub Secret Scanning & Push Protection
- Keep dependencies secure with Dependabot
- Prevent unreviewed code from being merged by enabling branch protection
- Set up responsible security reporting with SECURITY.md and Private Vulnerability Reporting (PVR)
Each section contains a practical exercise to apply these security best practices.
📌 Objective: Use CodeQL scanning to detect vulnerabilities and Copilot Autofix to quickly fix them.
- Fork this repository to your GitHub account.
- Enable Code Scanning:
- Go to Settings > Security > Code Security > Code Scanning.
- Click Enable Default Setup for CodeQL Analysis.
- Click Enable CodeQL.
- In the Actions tab, wait for the CodeQL setup to complete.
- Review vulnerabilities flagged by CodeQL:
- Open the Security tab
- 📝 Note: If the Security tab is not in the main navigation bar, click the ellipsis menu (…) in the top-right corner and select Security.
- Click on Code scanning alerts to view issues.
- Fix a detected vulnerability using Copilot Autofix:
- Click on a detected vulnerability.
- Click Generate fix.
- Commit the fix to a new branch.
- Click Commit change to open a pull request.
- Click Ready for review and Merge pull request.
✅ Now, your repository has CodeQL enabled and can automatically detect vulnerabilities!
📌 Objective: Learn how to verify Secret Scanning and Push Protection settings, commit a secret using the GitHub UI, view secret alerts, and properly remove exposed secrets.
- Navigate to Settings > Code security & analysis.
- Ensure that both "Secret scanning" and "Push protection" are enabled.
- Navigate to
config.jsand click the pencil (✏️) edit button. - Replace the placeholder values with an AWS secret.
- Scroll down, enter a commit message (e.g., "Adding AWS keys to test push protection"), and click Commit changes.
- If Push Protection is enabled, GitHub will block the commit with a security warning.
- If prompted, bypass the alert (for testing purposes).
- If you force the commit, Secret Scanning will detect the secret later.
- Go to Security > Secret Scanning.
- 📝 Note: If the Security tab is not in the main navigation bar, click the ellipsis menu (…) in the top-right corner and select Security.
- Locate the alert for the committed secret.
- Follow GitHub’s recommended steps to:
- Revoke the exposed secret (if applicable).
- Remove it from the codebase properly.
🔴 Removing the secret from your repository does not revoke its access. If a real AWS key (or any secret) is exposed, you must:
- Go to your AWS account or the service provider where the key was generated.
- Revoke or rotate the secret to prevent unauthorized use.
- Update your application with a new, secure secret stored safely (e.g., environment variables).
✅ Now, your repository is protected against secret leaks!
📌 Objective: Use Dependabot to detect and update outdated dependencies.
- Enable Dependabot:
- Navigate to Security > Dependabot Alerts.
- Enable Dependabot alerts if not already active.
- 📝 Note: If the Security tab is not in the main navigation bar, click the ellipsis menu (…) in the top-right corner and select Security.
- Check for dependency alerts:
- Go to Security > Dependabot Alerts.
- Apply Dependabot's suggested fixes:
- Click on a Dependabot security alert.
- Follow instructions to create a pull request (PR) for the update.
- Merge the PR to apply the update.
✅ Now, your repository is set up to detect and fix vulnerable dependencies!
📌 Objective: Set up branch protection rules to enforce security best practices.
- Go to Settings > Branches.
- Click "Add Rule" under Branch protection rules.
- In the Branch name pattern field, type
main.
- ✅ Require pull requests before merging
- ✅ Require at least one approval before merging
- ✅ Require status checks to pass before merging
- ✅ Prevent force pushes to
main
- Try making a change via the GitHub UI:
- Click the pencil (✏️) edit button on
README.md. - Make a small change and click "Commit changes".
- Click the pencil (✏️) edit button on
- GitHub should block direct commits and suggest creating a pull request.
- Click "Create pull request", add a description, and submit it.
- Request approval (if required) and merge the pull request.
✅ Now, your repository is protected against unreviewed changes!
📌 Objective: Learn how to set up a security policy, report, and manage vulnerabilities responsibly.
- Navigate to Settings > Security > Security Policy.
- Click "Set up a security policy".
- Define your policy, including:
- How to report security issues
- Expected response times
- Preferred contact method (e.g., Private Vulnerability Reporting, email)
- Go to Settings > Security > Private Vulnerability Reporting.
- Click "Enable" to allow responsible disclosure of vulnerabilities.
- Navigate to Security > Private Vulnerability Reporting.
- Click "Report a Vulnerability" and submit a sample report.
- Fix the vulnerability in your repository.
- Navigate to Security > Security Advisories.
- Click "New Draft Advisory", fill in details, and publish once the fix is deployed.
✅ Now, your repository has a structured process for handling vulnerabilities!
- Follow each exercise step by step.
- Fix vulnerabilities flagged by GitHub security tools.
- Explore GitHub’s security features in real-time.
Happy Securing! 🔒