A Node.js/Express demonstration application for Pluralsight's GitHub Advanced Security (GHAS) course.
This repository demonstrates GitHub Advanced Security (GHAS) best practices:
- Dependabot Alerts & PRs: Automatically detects vulnerable dependencies and creates pull requests with updates
- CodeQL Analysis: Identifies potential security vulnerabilities in code with static analysis
- Secret Scanning: Prevents accidental commit of credentials and tokens
- SARIF Integration: Standardized security scan results format
- Branch Protection Rules: Requires security checks to pass before merging
- Required Approvals: Multiple eyes on all code changes
- Security Policies: Clear documentation for reporting vulnerabilities
You can use these commands to install, test, and run the app locally. (Not Required)
npm install
npm test
Navigate to the /test folder to review the unit tests for this project. These tests will run as part of your GitHub Actions workflow. See .github/workflows/ directory for CI/CD configuration.
npm start
This project uses an enhanced Dependabot configuration (.github/dependabot.yml) that:
- Scans multiple ecosystems (npm, GitHub Actions, Docker)
- Creates automated PRs for vulnerable dependencies
- Labels security-related PRs for easy identification
- Customizes update schedule based on ecosystem needs
- Required status checks must pass before merging
- Pull request reviews required before merging
- Dismisses stale pull request approvals when new commits are pushed
- Restricts who can push to matching branches
Software Bill of Materials (SBOM) is automatically generated during the build process, providing transparency into all dependencies.
Visit the Security tab in this repository to view:
- Current security alerts
- Dependabot alerts and updates
- CodeQL analysis results
- Secret scanning alerts
This project is licensed under the MIT License - see the LICENSE file for details.