Exercise - Secure your repository's supply chain

In this lab, you will learn how to secure your repository's supply chain by identifying and fixing vulnerabilities in your dependencies. Modern applications rely on numerous external dependencies, and each dependency represents a potential security risk. GitHub provides tools like Dependabot to help you manage and secure your dependencies automatically.

You will learn how to:

• Understand supply chain security concepts
• Enable Dependabot alerts
• Review and fix security vulnerabilities
• Configure Dependabot security updates
• Understand dependency graphs
• Implement security best practices

This lab takes approximately 30-45 minutes to complete.

Before you start

To complete the lab, you need:

• A GitHub user account. If you don't have one, you can create a new account. If you need instructions on how to create a GitHub account, refer to the article Creating an account on GitHub.
• A web browser with access to the internet.

Complete the exercise on GitHub

In this exercise, you'll learn to secure your repository's dependencies through a hands-on GitHub Skills exercise.

Note: This exercise is hosted on GitHub Skills and provides an interactive learning experience. You'll work with Dependabot to identify vulnerabilities and automatically create pull requests to fix them.

The exercise consists of the following activities:

1. Start a web browser and navigate to the exercise repository: https://github.com/skills-dev/secure-repository-supply-chain

2. On the exercise page, select the Use this template button to copy the exercise to your GitHub account.

   Note: Simply copy the exercise to your account, then give GitHub about 20 seconds to prepare the first lesson, then refresh the page.

3. Follow the instructions on the repository's README to complete all the challenges, which include:

   • Understanding supply chain security and why it matters
   • Enabling Dependabot alerts for your repository
   • Reviewing security advisories for vulnerable dependencies
   • Enabling Dependabot security updates to automatically fix vulnerabilities
   • Reviewing and merging Dependabot pull requests
   • Understanding the dependency graph and how to interpret it
   • Configuring Dependabot for your specific needs

4. Work through each step in the exercise, following the prompts and instructions provided.

   Note: Dependabot will automatically scan your dependencies and create pull requests to update vulnerable packages to secure versions.

5. When you finish all the challenges, you'll understand how to maintain secure dependencies in your projects.

What you've learned

After completing this exercise, you should be able to:

• Understand supply chain security risks
• Enable and configure Dependabot alerts
• Review security vulnerabilities in dependencies
• Use Dependabot security updates to automatically fix issues
• Understand and use the dependency graph
• Merge Dependabot pull requests safely
• Implement security best practices for dependencies
• Monitor and maintain secure dependencies
• Understand the importance of keeping dependencies updated

Congratulations! You've completed the "Secure your repository's supply chain" exercise and learned how to protect your projects from vulnerable dependencies!