diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..bd5c45d --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,292 @@ +# Dependabot Configuration +# ========================= +# Comprehensive dependency management for security and version updates +# Documentation: https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file + +version: 2 + +registries: + # Add private registries here if needed + # npm-npmjs: + # type: npm-registry + # url: https://registry.npmjs.org + # token: ${{ secrets.NPM_TOKEN }} + +updates: + # ========================================================================== + # GitHub Actions - Keep CI/CD workflows secure and up-to-date + # ========================================================================== + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "weekly" + day: "monday" + time: "06:00" + timezone: "America/New_York" + open-pull-requests-limit: 10 + labels: + - "dependencies" + - "github-actions" + - "security/vulnerability" + commit-message: + prefix: "ci" + include: "scope" + reviewers: + - "timothywarner-org" + groups: + # Group all GitHub Actions updates together + github-actions: + patterns: + - "*" + update-types: + - "minor" + - "patch" + + # ========================================================================== + # Root NPM Dependencies - Main project JavaScript/Node.js packages + # ========================================================================== + - package-ecosystem: "npm" + directory: "/" + schedule: + interval: "daily" + time: "06:00" + timezone: "America/New_York" + open-pull-requests-limit: 15 + labels: + - "dependencies" + - "javascript" + - "security/vulnerability" + commit-message: + prefix: "deps" + include: "scope" + reviewers: + - "timothywarner-org" + # Ignore intentionally vulnerable packages in demo apps + ignore: + - dependency-name: "*" + update-types: ["version-update:semver-major"] + groups: + # Security-related packages - high priority + security-packages: + patterns: + - "helmet*" + - "express-rate-limit*" + - "bcrypt*" + - "jsonwebtoken*" + - "passport*" + - "cors" + - "csurf" + - "xss*" + - "sanitize*" + - "validator*" + update-types: + - "minor" + - "patch" + # Testing frameworks + testing: + patterns: + - "jest*" + - "mocha*" + - "chai*" + - "supertest*" + - "cypress*" + - "@testing-library/*" + update-types: + - "minor" + - "patch" + # Linting and code quality + linting: + patterns: + - "eslint*" + - "prettier*" + - "@typescript-eslint/*" + - "eslint-plugin-*" + update-types: + - "minor" + - "patch" + # Development dependencies + dev-dependencies: + patterns: + - "nodemon*" + - "typescript*" + - "ts-node*" + - "@types/*" + update-types: + - "minor" + - "patch" + + # ========================================================================== + # NodeGoat - Intentionally Vulnerable Node.js Application + # ========================================================================== + - package-ecosystem: "npm" + directory: "/NodeGoat" + schedule: + interval: "weekly" + day: "wednesday" + time: "06:00" + timezone: "America/New_York" + open-pull-requests-limit: 5 + labels: + - "dependencies" + - "javascript" + - "nodegoat" + - "lesson-01" + commit-message: + prefix: "deps(nodegoat)" + include: "scope" + # Only update non-vulnerable demo dependencies + # Some vulnerabilities are intentional for training + allow: + - dependency-type: "development" + - dependency-type: "production" + ignore: + # Intentionally keeping some packages at vulnerable versions for demos + - dependency-name: "marked" + versions: ["< 4.0.0"] + - dependency-name: "mongoose" + versions: ["< 6.0.0"] + + # ========================================================================== + # WebGoat - Intentionally Vulnerable Java Application + # ========================================================================== + - package-ecosystem: "maven" + directory: "/WebGoat" + schedule: + interval: "weekly" + day: "wednesday" + time: "06:00" + timezone: "America/New_York" + open-pull-requests-limit: 5 + labels: + - "dependencies" + - "java" + - "webgoat" + - "maven" + commit-message: + prefix: "deps(webgoat)" + include: "scope" + reviewers: + - "timothywarner-org" + + # ========================================================================== + # Lesson 01 - Vulnerability Detection Demos + # ========================================================================== + - package-ecosystem: "npm" + directory: "/lesson-01/demo-03-xss/secure-react-app" + schedule: + interval: "weekly" + day: "thursday" + time: "06:00" + timezone: "America/New_York" + open-pull-requests-limit: 3 + labels: + - "dependencies" + - "javascript" + - "lesson-01" + - "security/xss" + commit-message: + prefix: "deps(lesson-01)" + + - package-ecosystem: "npm" + directory: "/lesson-01/demo-04-custom-scanners/scanner" + schedule: + interval: "weekly" + day: "thursday" + time: "06:00" + timezone: "America/New_York" + open-pull-requests-limit: 3 + labels: + - "dependencies" + - "javascript" + - "lesson-01" + - "tool/sast" + commit-message: + prefix: "deps(lesson-01)" + + - package-ecosystem: "npm" + directory: "/lesson-01/demo-04-custom-scanners/idor-app" + schedule: + interval: "weekly" + day: "thursday" + time: "06:00" + timezone: "America/New_York" + open-pull-requests-limit: 3 + labels: + - "dependencies" + - "javascript" + - "lesson-01" + commit-message: + prefix: "deps(lesson-01)" + + # ========================================================================== + # Docker - Container image updates + # ========================================================================== + - package-ecosystem: "docker" + directory: "/NodeGoat" + schedule: + interval: "weekly" + day: "friday" + time: "06:00" + timezone: "America/New_York" + open-pull-requests-limit: 3 + labels: + - "dependencies" + - "docker" + - "security/vulnerability" + commit-message: + prefix: "docker" + include: "scope" + + - package-ecosystem: "docker" + directory: "/WebGoat" + schedule: + interval: "weekly" + day: "friday" + time: "06:00" + timezone: "America/New_York" + open-pull-requests-limit: 3 + labels: + - "dependencies" + - "docker" + - "security/vulnerability" + commit-message: + prefix: "docker" + include: "scope" + + # ========================================================================== + # Terraform - Infrastructure as Code updates + # ========================================================================== + - package-ecosystem: "terraform" + directory: "/lesson-02/demo-04-zero-trust/terraform" + schedule: + interval: "weekly" + day: "friday" + time: "06:00" + timezone: "America/New_York" + open-pull-requests-limit: 3 + labels: + - "dependencies" + - "terraform" + - "tool/terraform" + - "lesson-02" + commit-message: + prefix: "terraform" + include: "scope" + + - package-ecosystem: "terraform" + directory: "/lesson-05/demo-01-iac-templates/hardened" + schedule: + interval: "weekly" + day: "friday" + time: "06:00" + timezone: "America/New_York" + open-pull-requests-limit: 3 + labels: + - "dependencies" + - "terraform" + - "tool/terraform" + - "lesson-05" + - "security/compliance" + commit-message: + prefix: "terraform" + include: "scope" diff --git a/.github/labels.yml b/.github/labels.yml index 2afef72..0eb6350 100644 --- a/.github/labels.yml +++ b/.github/labels.yml @@ -144,6 +144,45 @@ color: "f9a7a7" description: "Advanced level content" +# ============================================================================= +# DEPENDABOT & DEPENDENCY LABELS +# ============================================================================= +- name: "dependencies" + color: "0366d6" + description: "Dependency updates (Dependabot)" + +- name: "security-update" + color: "ee0701" + description: "Security-related dependency update" + +- name: "javascript" + color: "f1e05a" + description: "JavaScript/Node.js related" + +- name: "java" + color: "b07219" + description: "Java related" + +- name: "docker" + color: "2496ed" + description: "Docker/container related" + +- name: "maven" + color: "c71a36" + description: "Maven dependency management" + +- name: "nodegoat" + color: "68a063" + description: "NodeGoat vulnerable application" + +- name: "webgoat" + color: "orange" + description: "WebGoat vulnerable application" + +- name: "github-actions" + color: "2088ff" + description: "GitHub Actions CI/CD updates" + # ============================================================================= # GENERAL PURPOSE LABELS # ============================================================================= @@ -170,3 +209,15 @@ - name: "documentation" color: "0075ca" description: "Documentation improvements" + +- name: "wontfix" + color: "ffffff" + description: "This will not be worked on" + +- name: "duplicate" + color: "cfd3d7" + description: "This issue or PR already exists" + +- name: "invalid" + color: "e4e669" + description: "This doesn't seem right" diff --git a/.github/topics.json b/.github/topics.json new file mode 100644 index 0000000..271a695 --- /dev/null +++ b/.github/topics.json @@ -0,0 +1,27 @@ +{ + "_description": "Repository topics for GitHub UI visibility. Apply via repository settings or GitHub API.", + "_instructions": "Navigate to Settings > General > Topics or use: gh repo edit --add-topic ", + "topics": [ + "github-copilot", + "cybersecurity", + "security", + "devsecops", + "vulnerability-detection", + "secure-coding", + "owasp", + "appsec", + "penetration-testing", + "sast", + "dast", + "compliance", + "nist", + "cis-benchmarks", + "zero-trust", + "threat-modeling", + "security-automation", + "incident-response", + "infrastructure-as-code", + "video-course" + ], + "apply_script": "for topic in $(jq -r '.topics[]' .github/topics.json); do gh repo edit --add-topic \"$topic\"; done" +} diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 0000000..9235be7 --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,83 @@ +# CodeQL Security Analysis +# ========================= +# Automated code scanning for security vulnerabilities +# Documentation: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors + +name: CodeQL + +on: + push: + branches: [main, develop] + pull_request: + branches: [main] + schedule: + # Run weekly on Sundays at midnight + - cron: '0 0 * * 0' + workflow_dispatch: + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +jobs: + analyze: + name: Analyze (${{ matrix.language }}) + runs-on: ubuntu-latest + timeout-minutes: 360 + permissions: + security-events: write + packages: read + actions: read + contents: read + + strategy: + fail-fast: false + matrix: + include: + - language: javascript-typescript + build-mode: none + # Covers JavaScript, TypeScript, and JSX/TSX + - language: java-kotlin + build-mode: none + # Covers Java and Kotlin (WebGoat) + + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + - name: Initialize CodeQL + uses: github/codeql-action/init@v3 + with: + languages: ${{ matrix.language }} + build-mode: ${{ matrix.build-mode }} + # Security-extended includes more security queries + queries: +security-extended,security-and-quality + + # For Java, we may need to build + - name: Setup Java (for Java analysis) + if: matrix.language == 'java-kotlin' + uses: actions/setup-java@v4 + with: + distribution: 'temurin' + java-version: '21' + cache: 'maven' + + - name: Build Java (if needed) + if: matrix.language == 'java-kotlin' && matrix.build-mode == 'manual' + working-directory: ./WebGoat + run: mvn clean compile -DskipTests -q + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v3 + with: + category: "/language:${{ matrix.language }}" + output: sarif-results + upload: always + + - name: Upload SARIF results + uses: actions/upload-artifact@v4 + if: always() + with: + name: codeql-results-${{ matrix.language }} + path: sarif-results + retention-days: 30 diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml new file mode 100644 index 0000000..2587e2c --- /dev/null +++ b/.github/workflows/dependency-review.yml @@ -0,0 +1,90 @@ +# Dependency Review +# ================== +# Scans pull requests for dependency changes and alerts on known vulnerabilities +# Documentation: https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review + +name: Dependency Review + +on: + pull_request: + branches: [main, develop] + workflow_dispatch: + +permissions: + contents: read + pull-requests: write + +jobs: + dependency-review: + name: Dependency Review + runs-on: ubuntu-latest + steps: + - name: Checkout Repository + uses: actions/checkout@v4 + + - name: Dependency Review + uses: actions/dependency-review-action@v4 + with: + # Fail on high and critical vulnerabilities + fail-on-severity: high + # Deny specific licenses + deny-licenses: GPL-3.0, AGPL-3.0 + # Allow specific licenses commonly used in security tools + allow-licenses: MIT, Apache-2.0, BSD-2-Clause, BSD-3-Clause, ISC, 0BSD, CC0-1.0, Unlicense + # Comment on PR with dependency changes + comment-summary-in-pr: always + # Show all vulnerabilities, not just new ones + warn-only: false + # Retry on transient failures + retry-on-snapshot-warnings: true + + npm-audit: + name: NPM Audit + runs-on: ubuntu-latest + steps: + - name: Checkout Repository + uses: actions/checkout@v4 + + - name: Setup Node.js + uses: actions/setup-node@v4 + with: + node-version: '20' + + - name: Audit Root Dependencies + run: | + if [ -f package-lock.json ]; then + npm audit --audit-level=high || true + fi + continue-on-error: true + + - name: Audit NodeGoat Dependencies + working-directory: ./NodeGoat + run: | + if [ -f package-lock.json ]; then + echo "## NodeGoat Dependency Audit" >> $GITHUB_STEP_SUMMARY + echo "Note: NodeGoat contains intentionally vulnerable dependencies for training" >> $GITHUB_STEP_SUMMARY + npm audit --audit-level=critical 2>&1 | head -50 >> $GITHUB_STEP_SUMMARY || true + fi + continue-on-error: true + + maven-dependency-check: + name: Maven Dependency Check + runs-on: ubuntu-latest + steps: + - name: Checkout Repository + uses: actions/checkout@v4 + + - name: Setup Java + uses: actions/setup-java@v4 + with: + distribution: 'temurin' + java-version: '21' + cache: 'maven' + + - name: Check WebGoat Dependencies + working-directory: ./WebGoat + run: | + echo "## WebGoat Dependency Analysis" >> $GITHUB_STEP_SUMMARY + echo "Note: WebGoat contains intentionally vulnerable dependencies for training" >> $GITHUB_STEP_SUMMARY + mvn dependency:tree -DoutputType=text 2>/dev/null | head -100 >> $GITHUB_STEP_SUMMARY || true + continue-on-error: true diff --git a/.github/workflows/security-pipeline.yml b/.github/workflows/security-pipeline.yml new file mode 100644 index 0000000..b69fb54 --- /dev/null +++ b/.github/workflows/security-pipeline.yml @@ -0,0 +1,228 @@ +# Security CI/CD Pipeline +# ======================= +# Comprehensive security scanning for the GitHub Copilot Cybersecurity course +# Course: GitHub Copilot for Cybersecurity Specialists +# +# Features: +# - Secret detection (TruffleHog, GitLeaks) +# - Dependency scanning (npm audit, Snyk) +# - SAST (CodeQL, Semgrep) +# - IaC scanning (Checkov, KICS) +# - Container scanning (Trivy) +# - Security gate enforcement + +name: Security Pipeline + +on: + push: + branches: [main, develop] + pull_request: + branches: [main] + schedule: + # Run security scans daily at 6 AM UTC + - cron: '0 6 * * *' + workflow_dispatch: + inputs: + full_scan: + description: 'Run full security scan including DAST' + required: false + default: 'false' + type: boolean + +env: + NODE_VERSION: '20' + JAVA_VERSION: '21' + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +jobs: + # =========================================================================== + # Secret Detection - Prevent credential leaks + # =========================================================================== + secret-detection: + name: Secret Detection + runs-on: ubuntu-latest + steps: + - name: Checkout Repository + uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - name: TruffleHog Scan + uses: trufflesecurity/trufflehog@main + with: + path: ./ + base: ${{ github.event.repository.default_branch }} + head: HEAD + extra_args: --only-verified + + - name: GitLeaks Scan + uses: gitleaks/gitleaks-action@v2 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + # =========================================================================== + # Dependency Scanning - Identify vulnerable packages + # =========================================================================== + dependency-scan: + name: Dependency Vulnerability Scan + runs-on: ubuntu-latest + steps: + - name: Checkout Repository + uses: actions/checkout@v4 + + - name: Setup Node.js + uses: actions/setup-node@v4 + with: + node-version: ${{ env.NODE_VERSION }} + + - name: NPM Audit (Root) + run: | + if [ -f package-lock.json ]; then + npm audit --audit-level=high --json > npm-audit-root.json || true + fi + continue-on-error: true + + - name: NPM Audit (NodeGoat) + working-directory: ./NodeGoat + run: | + if [ -f package-lock.json ]; then + npm audit --audit-level=critical --json > ../npm-audit-nodegoat.json || true + fi + continue-on-error: true + + - name: Upload Audit Results + uses: actions/upload-artifact@v4 + if: always() + with: + name: npm-audit-results + path: npm-audit-*.json + retention-days: 30 + + # =========================================================================== + # SAST - Semgrep Analysis + # =========================================================================== + sast-semgrep: + name: Semgrep SAST + runs-on: ubuntu-latest + container: + image: semgrep/semgrep + steps: + - name: Checkout Repository + uses: actions/checkout@v4 + + - name: Run Semgrep + run: | + semgrep scan \ + --config p/security-audit \ + --config p/owasp-top-ten \ + --config p/nodejs \ + --config p/javascript \ + --sarif \ + --output semgrep-results.sarif \ + --error \ + --exclude='**/node_modules/**' \ + --exclude='**/vendor/**' \ + --exclude='**/*.min.js' \ + . || true + + - name: Upload Semgrep Results + uses: github/codeql-action/upload-sarif@v3 + if: always() + with: + sarif_file: semgrep-results.sarif + continue-on-error: true + + # =========================================================================== + # Infrastructure as Code Scanning + # =========================================================================== + iac-scan: + name: IaC Security Scan + runs-on: ubuntu-latest + steps: + - name: Checkout Repository + uses: actions/checkout@v4 + + - name: Checkov Scan + uses: bridgecrewio/checkov-action@v12 + with: + directory: . + framework: terraform + output_format: cli,sarif + output_file_path: console,checkov-results.sarif + soft_fail: true + skip_check: CKV_AWS_79,CKV_AWS_18 + + - name: Upload Checkov Results + uses: github/codeql-action/upload-sarif@v3 + if: always() + with: + sarif_file: checkov-results.sarif + continue-on-error: true + + # =========================================================================== + # Container Security Scanning + # =========================================================================== + container-scan: + name: Container Security + runs-on: ubuntu-latest + if: github.event_name != 'pull_request' + steps: + - name: Checkout Repository + uses: actions/checkout@v4 + + - name: Trivy Filesystem Scan + uses: aquasecurity/trivy-action@master + with: + scan-type: 'fs' + scan-ref: '.' + format: 'sarif' + output: 'trivy-fs-results.sarif' + severity: 'CRITICAL,HIGH' + ignore-unfixed: true + + - name: Upload Trivy Results + uses: github/codeql-action/upload-sarif@v3 + if: always() + with: + sarif_file: trivy-fs-results.sarif + continue-on-error: true + + # =========================================================================== + # Security Gate - Final approval step + # =========================================================================== + security-gate: + name: Security Gate + runs-on: ubuntu-latest + needs: + - secret-detection + - dependency-scan + - sast-semgrep + - iac-scan + if: always() + steps: + - name: Check Security Results + run: | + echo "## Security Scan Summary" >> $GITHUB_STEP_SUMMARY + echo "" >> $GITHUB_STEP_SUMMARY + + # Check each job status + echo "| Check | Status |" >> $GITHUB_STEP_SUMMARY + echo "|-------|--------|" >> $GITHUB_STEP_SUMMARY + echo "| Secret Detection | ${{ needs.secret-detection.result == 'success' && 'Passed' || 'Review Required' }} |" >> $GITHUB_STEP_SUMMARY + echo "| Dependency Scan | ${{ needs.dependency-scan.result == 'success' && 'Passed' || 'Review Required' }} |" >> $GITHUB_STEP_SUMMARY + echo "| SAST (Semgrep) | ${{ needs.sast-semgrep.result == 'success' && 'Passed' || 'Review Required' }} |" >> $GITHUB_STEP_SUMMARY + echo "| IaC Scan | ${{ needs.iac-scan.result == 'success' && 'Passed' || 'Review Required' }} |" >> $GITHUB_STEP_SUMMARY + echo "" >> $GITHUB_STEP_SUMMARY + echo "**Note:** This repository contains intentionally vulnerable code for educational purposes." >> $GITHUB_STEP_SUMMARY + + - name: Gate Decision + run: | + # Only fail on secret detection failures (critical security issue) + if [ "${{ needs.secret-detection.result }}" == "failure" ]; then + echo "::error::Security gate failed - secrets detected in code" + exit 1 + fi + echo "Security gate passed" diff --git a/README.md b/README.md index c72db25..f4012aa 100644 --- a/README.md +++ b/README.md @@ -1,9 +1,14 @@ # GitHub Copilot for Cybersecurity Specialists +[![Security Pipeline](https://github.com/timothywarner-org/github-security-testbed/actions/workflows/security-pipeline.yml/badge.svg)](https://github.com/timothywarner-org/github-security-testbed/actions/workflows/security-pipeline.yml) +[![CodeQL](https://github.com/timothywarner-org/github-security-testbed/actions/workflows/codeql.yml/badge.svg)](https://github.com/timothywarner-org/github-security-testbed/actions/workflows/codeql.yml) +[![Dependency Review](https://github.com/timothywarner-org/github-security-testbed/actions/workflows/dependency-review.yml/badge.svg)](https://github.com/timothywarner-org/github-security-testbed/actions/workflows/dependency-review.yml) + [![Course Duration](https://img.shields.io/badge/Duration-3.5%20Hours-blue)](README.md) [![Lessons](https://img.shields.io/badge/Lessons-5-green)](README.md) [![License](https://img.shields.io/badge/License-MIT-yellow.svg)](LICENSE) [![GitHub Copilot](https://img.shields.io/badge/GitHub%20Copilot-Enabled-8A2BE2)](https://github.com/features/copilot) +[![Security Policy](https://img.shields.io/badge/Security-Policy-blueviolet)](SECURITY.md) > **Hands-on video training for security professionals leveraging GitHub Copilot to detect vulnerabilities, implement security protocols, automate testing, and ensure compliance.** diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000..4d5db6d --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,141 @@ +# Security Policy + +## Purpose + +This repository contains **intentionally vulnerable applications** and **security training materials** for the "GitHub Copilot for Cybersecurity Specialists" video course. The codebase includes examples of vulnerable code patterns, secure code patterns, and security testing tools for **educational purposes only**. + +> **Warning**: This repository contains intentionally vulnerable code (NodeGoat, WebGoat, and lesson demos). **Do not deploy any code from this repository to production environments.** + +## Supported Versions + +| Version | Supported | Notes | +|---------|-----------|-------| +| main | Yes | Latest course materials and security fixes | +| develop | Yes | Pre-release updates, may contain experimental code | + +## Reporting a Vulnerability + +We take security issues seriously, even in educational repositories. If you discover a security vulnerability that affects the **infrastructure** or **unintentional security issues** (not the deliberately vulnerable demo code), please follow responsible disclosure practices. + +### What to Report + +**Please report:** +- Security issues in the CI/CD pipeline configurations +- Exposed secrets or credentials (that shouldn't be exposed) +- Security issues in supporting scripts/tooling (not demo vulnerable apps) +- Issues that could affect learners following the course materials +- Supply chain vulnerabilities in dependencies + +**Please do NOT report:** +- Vulnerabilities in intentionally vulnerable applications (NodeGoat, WebGoat) +- SQL injection, XSS, or other OWASP vulnerabilities in `/lesson-*` demo code +- Security issues that are documented as teaching examples + +### How to Report + +1. **Email**: security@timothywarner.org +2. **GitHub Security Advisories**: Use the [Security tab](../../security/advisories) to create a private security advisory +3. **Response Time**: We aim to acknowledge reports within 48 hours + +### What to Include + +- Description of the vulnerability +- Steps to reproduce +- Potential impact assessment +- Suggested remediation (if any) +- Whether you want public acknowledgment + +### Safe Harbor + +We support safe harbor for security researchers who: +- Make a good faith effort to avoid privacy violations, data destruction, or service interruption +- Only interact with accounts you own or with explicit permission +- Do not exploit vulnerabilities beyond what is necessary to demonstrate the issue +- Report vulnerabilities promptly and provide reasonable time for remediation + +## Security Best Practices for Course Users + +When using this repository for learning: + +### Local Development + +1. **Isolated Environment**: Run vulnerable applications in containers or VMs + ```bash + # Use Docker for NodeGoat + cd NodeGoat && docker-compose up + + # Use Docker for WebGoat + cd WebGoat && docker-compose up + ``` + +2. **Network Isolation**: Never expose vulnerable apps to the internet + ```bash + # Bind to localhost only + docker run -p 127.0.0.1:3000:3000 nodegoat + ``` + +3. **Clean Up**: Remove containers and images after learning sessions + ```bash + docker-compose down --rmi all --volumes + ``` + +### Credential Management + +- Never commit real credentials to this repository +- Use environment variables or secret managers for any real integrations +- Rotate any credentials that may have been accidentally exposed + +### Dependency Security + +This repository uses Dependabot for automated security updates. Key configurations: + +- **Daily security updates** for critical vulnerabilities +- **Weekly version updates** for staying current +- **Automated PRs** with security labels for easy triage + +## Security Features Enabled + +### GitHub Security Features + +| Feature | Status | Description | +|---------|--------|-------------| +| Dependabot Alerts | Enabled | Automated vulnerability detection in dependencies | +| Dependabot Security Updates | Enabled | Automatic PRs for security fixes | +| Secret Scanning | Enabled | Detects exposed secrets in commits | +| Push Protection | Enabled | Blocks pushes containing secrets | +| Code Scanning (CodeQL) | Configured | SAST for JavaScript, TypeScript, and Java | + +### CI/CD Security + +The security pipeline (`.github/workflows/security-pipeline.yml`) includes: + +- **Secret Detection**: TruffleHog and GitLeaks scanning +- **Dependency Scanning**: npm audit, Snyk, OWASP Dependency Check +- **SAST**: CodeQL and Semgrep analysis +- **Container Scanning**: Trivy and Grype for Docker images +- **IaC Scanning**: Checkov and KICS for Terraform/Kubernetes +- **DAST**: OWASP ZAP baseline scanning + +## Vulnerability Disclosure Timeline + +| Stage | Timeframe | +|-------|-----------| +| Initial Response | 48 hours | +| Vulnerability Confirmation | 7 days | +| Remediation Development | 30 days (90 for complex issues) | +| Public Disclosure | After fix is released | + +## Security Contacts + +- **Primary Contact**: security@timothywarner.org +- **Repository Owner**: [@timothywarner-org](https://github.com/timothywarner-org) +- **Security Advisories**: [GitHub Security Advisories](../../security/advisories) + +## Acknowledgments + +We appreciate the security research community and will acknowledge researchers who report valid vulnerabilities (with permission) in our security advisories. + +--- + +**Last Updated**: December 2024 +**Policy Version**: 1.0