In the last step, we ask people to (1) filter-branch and force push, and (2) to show their log output. Although these are two steps, we have them do it in one which might be a lot to wrap your head around.

I suggest we listen for the force-push to master, acknowledge that, and then have them enter and validate their log in a separate step.

The flow for enabling security alerts has changed. The settings area is renamed and the approval flow.

The process described in responses/00_introduction-issue.md is only visible for private repos.

The new flow is as follows:

1. Click on the Settings tab
2. Go to the Security & analysis section
3. Enable the dependency graph, Dependabot alerts, and Dependabot security updates

Working on this issue should also include a review of the remaining course steps since these features are the core of this course.

The learner is currently asked to create a security policy, but we don't use it. The immediate next step (which is an alert about sensitive data) is a perfect opportunity to close the loop on the inclusion of the policy and how to use it.

Describe the bug
This is a follow-on from community discussion Lab security-strategy-essentials can this only be done through enterprise?

Course instructions do not correspond to current UI:

• "Data services" seems to have been moved and instead refers to "Security & analysis settings".
• There are no check boxes displayed.

To Reproduce

1. Go to https://lab.github.com/githubtraining/securing-your-workflows (Latest release February 26, 2020)
2. Click on "Start free course"
   Note that Public (Default) is selected. Private is greyed out.
   Click "Begin Securing your workflows".
   Course is prepared.
3. Click Start in Course Step 1
   "Welcome to Securing your workflows!" is displayed.
   The section about enabling data services is not displayed.
4. Using the instructions from the Quick Reference Guide

1.1. Click the Settings tab in your repository.
1.2. Scroll down until you see Data services.
1.3. Under Data services, click the check boxes to enable all the data services

7. In "Configure security and analysis features" click on Enable in the section Dependabot alerts.
   Only Dependabot alerts should be enabled.
   If Dependabot security updates are enabled then the lack of a package-lock.json will cause automatic security updates to fail. In any case, using security updates is not part of the course.

Expected behavior

1. Include instructions to enable Dependabot alerts in the online instructions even when the repository is public.
2. Instructions to enable Dependabot alerts should say:
   Click on Security in the repository
   Click on the Enable button corresponding to Dependabot alerts

Additional context
When the Community article: Lab security-strategy-essentials can this only be done through enterprise? was started there may have been an issue with the proper functioning of Dependabot alerts a couple of days ago, independently of course content. It is however working today (Nov 18, 2020) and nothing in the course has been changed as far as I know.

Note that I am a beginner (which is why I was following the First Week on GitHub stream). Please excuse any wrong assumptions due to my lack of experience!

The current issue about Dependabot currently asks the learner to close the issue. Considering there's a pull request from Dependabot open, could we instead have the learner merge that PR? I think it'd be a more realistic workflow.

This is a follow-on from the closed issue #17

Describe the bug
If the instructions "On the left hand navigation bar, click Dependabot alerts." are followed Dependabots can be enabled, but the following instructions leave the learner stranded.

To Reproduce

1. Start course "Security strategy essentials" from https://lab.github.com/githubtraining/security-strategy-essentials
2. Complete Step 1 (Enable GitHub Pages)
3. In Step 2 "Find this repository's vulnerable dependencies"

• Click the Security tab in your repository.
• On the left hand navigation bar, click Dependabot alerts.
• Follow the instructions to enable Dependabot alerts, if they're not already enabled.
• Click on the debug alert.
• Take note of the suggested version.
• Comment in this issue with the suggested update version.

Expected behavior
Following the instructions should lead to the vulnerability being shown.

Suggested changes
Instead of:
"Click the Security tab in your repository.
On the left hand navigation bar, click Dependabot alerts.
Follow the instructions to enable Dependabot alerts, if they're not already enabled."

write:
"Click the Settings tab in your repository, then click Security & analysis.
If the button "Enable" is shown opposite "Dependabot alerts", then click the button to Enable Dependabot alerts."

now:
Click the Security tab in your repository.
Click "View Dependabot alerts".

which then correctly leads into:
"Click on the debug alert."

Screenshots
Here are the screenshots from following the current set of instructions:

• Click the Security tab in your repository.

• On the left hand navigation bar, click Dependabot alerts.

• Follow the instructions to enable Dependabot alerts, if they're not already enabled.

• Click on the debug alert.

There is no debug alert shown. The step of going to the Security tab and selecting "Dependabot alerts" on the left or "View Dependabot alerts" on the right is missing.

Hey @hectorsector, I could use some 👀 on this step: https://github.com/githubtraining/security-strategy-essentials/blob/master/config.yml#L187-L206

It responds with the correct bot responses when the learner pushes up the content but the step itself don't move onto the next step.

Thoughts on why it's doing that?

Hey @brianamarie and @hectorsector

For reference: https://lab.github.com/githubtraining/security-strategy-essentials/8.1.0

Above is my up-to-date version for the workshop security course. I'd love some feedback on the logic and making sure this is flowing nicely.

The responses are not complete but hopefully they have enough info to guide you through it. If you need more info, I have notes in the config file on each step.

Also, the step to add dependabot took about 5+ minutes to work. So, I instead took the route of providing instructions to install it for automatic dependency scanning in just an issue that the learner closes when done instead of building a step around it.

Specific items for feedback:

• Step 6: The security policy is added to a new PR. Maybe adding a branch protection is needed here so the learner doesn't commit to master?
• Step 7: This step won't complete. Not sure why... thoughts?
• Step 12: I'm trying to figure out how to complete this step. I need to remove the historical commits that introduced the .env file at the beginning of the history. I looked at this lightning talk resource (https://github.com/github/support-security-ombuds/blob/master/education/lightning-talks/removing-sensitive-data.md) that was helpful. Maybe we validate on the .env file instead of the commit? I'm not sure how to do this one. Looking for ✨ suggestions here!

Thanks!!

Describe the bug
The first step asks the learner to click Save after Enabling GitHub Pages. No such button exists any longer.

To Reproduce
Steps to reproduce the behavior:

1. Register for the course
2. Complete the first step -- enable GitHub Pages
3. Notice it auto saves

Expected behavior
The bot's response should be in sync with the UI.

Additional context
The response file that needs to change is responses/00_introduction-issue.md.

Describe the bug
A clear and concise description of what the bug is.

Step 4 https://github.com/githubtraining/security-strategy-essentials/blob/main/responses/04_add-dependabot.md

Is asking a user to view the PR Dependabot created but this is not possible as there is no Package-lock.json...
https://github.com/githubtraining/security-strategy-essentials/blob/main/responses/04_add-dependabot.md

To Reproduce
Steps to reproduce the behavior:

1. Go to step 4 "Add Dependabot to your repository #4" in Issue #4 that will be opened
2. Attempt to view PRs, there is none created by dependabot.

Expected behavior
A clear and concise description of what you expected to happen.

• A PR should be shown as closed created by dependabot

Screenshots
If applicable, add screenshots to help explain your problem.

Desktop (please complete the following information):

• OS: [e.g. iOS] Mac
• Browser [e.g. chrome, safari] Chrome
• Version [e.g. 22]

Smartphone (please complete the following information):

• Device: [e.g. iPhone6]
• OS: [e.g. iOS8.1]
• Browser [e.g. stock browser, safari]
• Version [e.g. 22]

Additional context
Add any other context about the problem here.

Describe the bug
The course currently uses git filter-branch which results in the following message from git:

❯ git filter-branch --index-filter "git rm -rf --cached --ignore-unmatch .env" HEAD
WARNING: git-filter-branch has a glut of gotchas generating mangled history
         rewrites.  Hit Ctrl-C before proceeding to abort, then use an
         alternative filtering tool such as 'git filter-repo'
         (https://github.com/newren/git-filter-repo/) instead.  See the
         filter-branch manual page for more details; to squelch this warning,
         set FILTER_BRANCH_SQUELCH_WARNING=1.
Proceeding with filter-branch...

To Reproduce
This is in Step 13: Remove historical reference to a previous .env file

Expected behavior
Git shouldn't complain if we're using the proper command.