This is a digital workbook to journey a new to oftware engineers or application security professionals to the realm of github security tooling. This workbook is useful for the software engineer to become familiar and comfortable with security concepts and controls as well as guiding through Github Security features such as code signing, code scanning, and secret scanning. The goal of the workbook is to strengthen the security-conciousness of software developer and provide a foundation for software engineers or application security professionals.
As a developer or tester, security may not be at the forefront of your mind. Security typically only becomes a priority when the dedicated security team gets involved. However, there are tools and techniques you can learn now to give you the arsenal to prepare for security team demands.
Demonstrate how you can defend your build pipeline using open source tools and freely available features in Github. This workbook will walk you through basic to advanced security tooling to prevent the security team from impacting your project plans.
By the end of the e-book, participants will be able to:
- Describe best practices for gating your build to prevent critical security findings from being released.
- Tighten access controls and handle Github security advisories.
- Enable GPG signing on commits for maintaining the integrity of a patch.
- Implement code scanning, secret scanning and Dependabot.
- Perform commit and tag signing, and use sigstore to sign releases and get them verified.