AppSec suggestions#81
Conversation
ghost
left a comment
There was a problem hiding this comment.
No issues with your course have been found! You are good to go 🚀
|
This is awesome @gregose, thank you 🙏 Branch protection is definitely possible. Signed commits I'm not sure - if Token scanning would be really really neat - I imagine that as a third-party app, Learning Lab won't ever see that a token was revoked. A dummy token could work well though, we'd be able to, for example, check the diff of a commit and say "Oh hey don't worry this was invalidated for you by Token Scanning!" |
ghost
left a comment
There was a problem hiding this comment.
No issues with your course have been found! You are good to go 🚀
|
@gregose 🙌 Thank you SO MUCH! These are fabulous improvements. I'm going to go ahead and 🚢! I'll open an issue for the next bits.
👍 I will think on this and see how/where we can add this, because you're totally right. #85
I'm going to open another issue and continue there. #86 |
I have some suggested changes to the copy for this learning lab. Feel free to pick and choose what makes the most sense.
The
add-gitignoresteps were a bit confusing, there did not seem to be a .env file committed, so I tried to update the copy to be clearer that it would prevent future commits.One thing that comes to mind is branch protection. It would be cool to see people enable required reviews and commit signatures. I'm not sure how difficult that would be to implement in the learning lab.
Another item would be to have someone commit an access token and have it revoked with the credential scanning feature... but thats a bit tricky to implement in a safe way. I'm not sure what we could do there. Maybe a dummy token we could scan for? @ptoomey3 (not part of this org yet) may have some ideas.