Skip to content

oshati/skills-secure-repository-supply-chain

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2 Commits
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Secure your repository's supply chain

Secure your supply chain, understand dependencies in your environment, know about vulnerabilities in those dependencies and patch them.

Step 1: Review and add dependencies using dependency graph

Welcome to "Secure your repository's supply chain"! 👋

What's the big deal about securing your repository's supply chain?: With the accelerated use of open source, most projects depend on hundreds of open-source dependencies. This poses a security problem: what if the dependencies you're using are vulnerable? You could be putting your users at risk of a supply chain attack. One of the most important things you can do to protect your supply chain is to patch your vulnerable dependencies and replace any malware.

GitHub offers a range of features to help you understand the dependencies in your environment, know about vulnerabilities in those dependencies, and patch them. The supply chain features on GitHub are:

  • Dependency graph
  • Dependency review
  • Dependabot alerts
  • Dependabot updates
    • Dependabot security updates
    • Dependabot version updates

What is a dependency graph: The dependency graph is a summary of the manifest and lock files stored in a repository and any dependencies that are submitted for the repository using the dependency submission API (beta). For each repository, it shows:

  • Dependencies, the ecosystems and packages it depends on
  • Dependents, the repositories and packages that depend on it

⌨️ Activity 1.1: Verify that dependency graph is enabled

We recommend opening another browser tab to work through the following activities so you can keep these instructions open for reference.

Dependency graph is enabled by default for all new public repositories. If you're working in a public repository, you can go straight to "Activity 1.2: Add a new dependency and view your dependency graph." For private or internal repositories, you'll need to enable Dependency graph.

  1. Navigate to the Settings tab.
  2. Click Code security and analysis.
  3. Enable "Dependency graph."

⌨️ Activity 1.2: Add a new dependency and view your dependency graph

  1. Navigate to the Code tab and locate the code/src/AttendeeSite folder.
  2. Add the following content to the package-lock.json file after the third to last bracket } and before the last two brackets.
    ,
     "follow-redirects": {
       "version": "1.14.1",
       "resolved": "https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.14.1.tgz",
       "integrity": "sha512-HWqDgT7ZEkqRzBvc2s64vSZ/hfOceEol3ac/7tKwzuvEyWx3/4UegXh5oBOIotkGsObyk3xznnSRVADBgWSQVg=="
     }
    
  3. Navigate to the Insights tab.
  4. Select Dependency graph from the side navigation bar.
  5. Review all the dependencies on the Dependencies tab.
  6. Search for follow-redirects and review the new dependency you just added. Screen Shot showing the "follow-redirects" dependency.

Wait about 20 seconds then refresh this page (the one you're following instructions from). GitHub Actions will automatically update to display the next step.


Get help: Post in our discussion boardReview the GitHub status page

© 2024 GitHub • Code of ConductMIT License

About

No description, website, or topics provided.

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published