-
Notifications
You must be signed in to change notification settings - Fork 131
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add Advanced Security questions 13,14,15,16,17,18 (#97)
- Loading branch information
1 parent
c7d8606
commit c765750
Showing
7 changed files
with
84 additions
and
2 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,13 @@ | ||
--- | ||
archetype: "questions" | ||
title: "Question 013" | ||
question: "How can You exclude certain directories or files from secret scanning?" | ||
draft: false | ||
--- | ||
|
||
|
||
> https://docs.github.com/en/code-security/secret-scanning/configuring-secret-scanning-for-your-repositories#excluding-directories-from-secret-scanning-alerts-for-users | ||
1. [x] By creating a `secret_scanning.yml` file and including paths that should not be scanned | ||
1. [ ] It's not possible to exclude specific files and/or directories from being scanned. Once You enable secret scanning for a repository, all files and directories will be scanned. | ||
1. [ ] Include these files in the `.gitignore` file | ||
1. [ ] By creating a `dependabot.yml` file and including paths which should not be scanned |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,14 @@ | ||
--- | ||
archetype: "questions" | ||
title: "Question 014" | ||
question: "You have included some fake secrets in Your test code and they have been picked up by GitHub's secret scanning. What can You do to tell GitHub that these are fake secrets and can be ignored? (Choose two.)" | ||
draft: false | ||
--- | ||
|
||
|
||
> <br/> [Managing secret scanning alerts](https://docs.github.com/en/code-security/secret-scanning/managing-alerts-from-secret-scanning#managing-secret-scanning-alerts) | ||
> <br/> [Excluding directories from secret scanning alerts](https://docs.github.com/en/code-security/secret-scanning/configuring-secret-scanning-for-your-repositories#excluding-directories-from-secret-scanning-alerts-for-users) | ||
- [x] By creating a `secret_scanning.yml` file within which you declare paths where fake secrets are located, so scans will omit them | ||
- [x] Close the Secret Scanning Alert with `Used in tests` close reason | ||
- [ ] In your test files, add a comment `#gh_ignore: fake secret` on the line where the fake secret is located. | ||
- [ ] By creating a `.github/codeql.yml` file within which you declare paths where fake secrets are located, so scans will omit them |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,13 @@ | ||
--- | ||
archetype: "questions" | ||
title: "Question 015" | ||
question: "You have accidentaly commited Your GitHub personal access token to a public repository. What actions should You take to prevent Your account from being compromised?" | ||
draft: false | ||
--- | ||
|
||
|
||
> https://docs.github.com/en/code-security/secret-scanning/managing-alerts-from-secret-scanning#securing-compromised-secrets | ||
1. [x] Consider the token compromised and delete it immediately | ||
1. [ ] Change the token's permissions to read-only | ||
1. [ ] Overwrite the git history to mask the token | ||
1. [ ] Check if this token is used in any of your applications, if so - delete it. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,13 @@ | ||
--- | ||
archetype: "questions" | ||
title: "Question 016" | ||
question: "What is the behaviour when a new secret pattern is added or updated in the GitHub secret scanning partner program?" | ||
draft: false | ||
--- | ||
|
||
|
||
> https://docs.github.com/en/code-security/secret-scanning/about-secret-scanning#accessing-secret-scanning-alerts | ||
1. [x] GitHub will run a scan of all historical code content in public repositories with secret scanning enabled | ||
1. [ ] GitHub will only scan for the new pattern in newly pushed commits in repositories with secret scanning enabled. If a secret of that pattern was already present in the repository, it will not be detected. | ||
1. [ ] The GitHub partner has to deal with the historicly leaked secrets and GitHub will only scan any new commits for the new pattern | ||
1. [ ] GitHub will create an issue in all repositories with secret scanning enabled so the maintainers can check the repository for any secrets matching the new pattern |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,16 @@ | ||
--- | ||
archetype: "questions" | ||
title: "Question 017" | ||
question: "Who will be notified when a NEW secret is pushed and detected in a repository? (Choose four.)" | ||
draft: false | ||
--- | ||
|
||
|
||
> https://docs.github.com/en/code-security/secret-scanning/managing-alerts-from-secret-scanning#incremental-scans | ||
- [x] Repository Administrators | ||
- [x] Security Managers | ||
- [x] Users with with custom roles with read/write access | ||
- [x] Organization owners and enterprise owners, but only if they are administrators of repositories where secrets were leaked | ||
- [ ] Everyone with write access to the repository | ||
- [ ] All Organization owners and enterprise owners | ||
- [ ] Commit authors |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,13 @@ | ||
--- | ||
archetype: "questions" | ||
title: "Question 018" | ||
question: "When GitHub runs a scan of all historical code in enterprise repositories what is the notification behaviour? (Select two.)" | ||
draft: false | ||
--- | ||
|
||
|
||
> https://docs.github.com/en/code-security/secret-scanning/managing-alerts-from-secret-scanning#historical-scans | ||
- [x] GitHub notifies the enterprise owners and security managers, even if no secrets are found. | ||
- [x] GitHub notifies Repository administrators, security managers, and users with custom roles with read/write access whenever a secret is detected in a repository. | ||
- [ ] GitHub notifies the enterprise owners and security managers, only if it detects exposed secrets. | ||
- [ ] GitHub notifies the commit authors of the commits that contain exposed secrets. |