Skip to content

jamesmacintyre/skills-secure-repository-supply-chain

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2 Commits
.github
.github
 
 
code
code
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 

Repository files navigation

Secure your repository's supply chain

Secure your supply chain, understand dependencies in your environment, know about vulnerabilities in those dependencies and patch them.

Step 1: Review and add dependencies using dependency graph

Welcome to "Secure your repository's supply chain"! 👋

What's the big deal about securing your repository's supply chain?: With the accelerated use of open source, most projects depend on hundreds of open-source dependencies. This poses a security problem: what if the dependencies you're using are vulnerable? You could be putting your users at risk of a supply chain attack. One of the most important things you can do to protect your supply chain is to patch your vulnerable dependencies and replace any malware.

GitHub offers a range of features to help you understand the dependencies in your environment, know about vulnerabilities in those dependencies, and patch them. The supply chain features on GitHub are:

  • Dependency graph
  • Dependency review
  • Dependabot alerts
  • Dependabot updates
    • Dependabot security updates
    • Dependabot version updates

What is a dependency graph: The dependency graph is a summary of the manifest and lock files stored in a repository and any dependencies that are submitted for the repository using the dependency submission API (beta). For each repository, it shows:

  • Dependencies, the ecosystems and packages it depends on
  • Dependents, the repositories and packages that depend on it

⌨️ Activity: Verify that dependency graph is enabled

We recommend opening another browser tab to work through the following activities so you can keep these instructions open for reference.

  1. Navigate to the Settings tab.
  2. Click Code security and analysis.
  3. Verify/enable Dependency graph. (If the repo is private, you will enable it here. If the repo is public, it will be enabled by default)

⌨️ Activity: Add a new dependency and view your dependency graph

  1. Navigate to the Code tab and locate the code/src/AttendeeSite folder.
  2. Add the following content to the package-lock.json file after the third to last } 
    ,
 "follow-redirects": {
   "version": "1.14.1",
   "resolved": "https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.14.1.tgz",
   "integrity": "sha512-HWqDgT7ZEkqRzBvc2s64vSZ/hfOceEol3ac/7tKwzuvEyWx3/4UegXh5oBOIotkGsObyk3xznnSRVADBgWSQVg=="
 }
  3. Navigate to the Insights tab.
  4. Click Dependency graph.
  5. Review all new dependencies on the Dependencies hub.
  6. Search for follow-redirects and review the new dependency you just added. Screen Shot 2022-10-17 at 3 37 36 PM
  7. Wait about 20 seconds then refresh this page (the one you're following instructions from). GitHub Actions will automatically update to the next step.

Get help: Post in our discussion boardReview the GitHub status page

© 2023 GitHub • Code of ConductMIT License

About

No description, website, or topics provided.

Resources

Readme

License

MIT license
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 2

  •  
  •  

Languages