Lab security-strategy-essentials can this only be done through enterprise?

Hello trying to complete lab.github training course on security strategy essentials.

I have looked at

For me the problem arises with number 3 in the list below. There is no “debug” button.

  1. Click the Security tab in your repository.
  2. On the left hand navigation bar, click Dependabot alerts .
  3. Click on the debug alert.
  4. Take note of the suggested version.
  5. Comment in this issue with the suggested update version.

Can this lab only be completed by enterprise?

“GitHub Enterprise Server only: This is all possible on GitHub Enterprise through GitHub Connect. It may take up to an hour to refresh the alerts and make them visible. After waiting a reasonable amount of time, if you are still not seeing the yellow bar in the Dependency Graph, you may want to contact your administrator. In the mean time, to move along with the course, we’ll give you a hint - the recommended upgraded version is 2.6.9.”

I can force or trick the github bot by just replying to the issue, but then this creates problems down stream.

What am I doing wrong? Are the instructions wrong?

Regards,

1 Like

I am stuck at that too, unfortunately.
I don’t think you’ve done something wrong, but I think the GitHub website is under active development which sometimes breaks some of those learning-lab tutorials. Also the dependabot is beta, or at least I’m under that impression.

replying with “2.6.9” worked though, so I will just do that and manually update the dependency. You can go to “Insights > Dependency graph” and the first dependency in the list is called “visionmedia/debug” and manually update that. I don’t know how to do that, btw.

Anyway, I will try to go through the rest of the said tutorial with the old version and will write back if I’m able to…

Nah, just reply with “2.6.9” and be done with that. The next step is a pull request in which you manually update it anyway.

I have the same problem with the Learning Lab - Securing your workflows that I don’t see a vulnerability warning.

I noticed also that the Quick Reference Guide for Securing your workflows contains two lines of instructions

“1.2. Scroll down until you see Data services.
1.3. Under Data services, click the check boxes to enable all the data services.”

which don’t appear in the security-on-github/issues/2. The bot generated issue only instructs to:

“1. Click the Settings tab in your repository.
2. Scroll down to GitHub Pages and select master as a Source .”

and they don’t say anything about enabling Dependabot alerts and Dependabot security updates.

In addition, the Data services section under Settings says:

“You can now manage Dependabot alerts and Dependabot security updates in the Security & analysis settings

So it looks like the course needs to be checked to see if it is really running correctly under the current version of GitHub, the instructions in the bot generated issue need to be updated. Plus there is some fine tuning missing regarding the detailed instructions for enabling Dependabot alerts and Dependabot security updates.

BTW: I am very impressed with the quality of the other courses I found under https://lab.github.com/ for First Day and First Week. :+1: It was fun taking them. The security strategy essentials does seem to be suffering a glitch at this time though.

Thank you all for pointing out these roadblocks in this course. It looks as though the GitHub interface has changed quite a bit. We do have some open issues to address the outdated contend, but it’s quite the manual process for us at the moment :man_facepalming: which make it slow at times.

You can follow our progress if you wish, and if there are other things you’ve noticed while taking this course feel free to add them as issues as well :smile:

1 Like

Thank you so much for the confirmation that you’ll be looking at the problem and for the link to the issues!

I couldn’t see the problems being discussed here in the list of issues. Would it make sense to open a new issue there linking to the discussion here? Should I do this?

It’s working for me today!

I did the following in Step 1:

  1. Click on Security in the repository.
  2. Click on Enable Dependabot alerts.
  3. In “Configure security and analysis features” click on Enable in the section Dependabot alerts.

Here is what it showed me afterwards:




The GitHub Advisory Database lists Regular Expression Denial of Service in debug which corresponds to the alert.

I have created a new issue Incorrect instructions for enabling vulnerability alerts for this topic.

I’m assuming all of this explains why I’m getting a 404 on step 2.

I’m assuming all of this explains why I’m getting a 404 on step 2.

That sounds like a different issue. What URL is giving the 404 error? Maybe a screen shot would help to understand?

Hmmm. Well this is a screenshot of where I’m at when things work and when I click step 2 and get the 404 when things stop working.

This really is a different issue.
The URL you are trying to access is https://github.com/ahimsatravis/security-on-github/issues/4 and since I can access it, you probably ought to be able to access it as well. Perhaps you were too quick? I suggest you try again. Good luck!