A supply chain attack has affected hundreds of websites and applications by targeting npm packages, demonstrating significant vulnerabilities in the ecosystem. The incident underscores the importance of securing dependencies and implementing proactive measures to detect and mitigate security threats. Recent efforts include enhanced alerts for vulnerabilities and improved scanning capabilities throughout the development lifecycle.

3. https://www.bleepingcomputer.com/news/security/npm-supply-chain-attack-impacts-hundreds-of-websites-and-apps/

4. ▪
▪
▪
▪
▪
▪
▪
▪

8. ▪
▪
▪

9. ▪
▪
▪
▪
▪
▪
▪
▪
▪
▪
▪
▪
▪

11. GitHub
Cloud
GitHub Free
GitHub Team
GitHub Enterprise
On-Premises
GitHub Enterprise
Server

12. Source: https://github.com/pricing

13. Source: https://github.com/pricing

15. Source: https://news.microsoft.com/announcement/microsoft-acquires-github/

16. Source: https://octoverse.github.com/static/github-octoverse-2020-security-report.pdf
▪
▪

17. ▪
▪
▪

18. ▪
▪
▪
▪
▪
▪
▪
▪

21. •
•
•
•
•

22. Azure DevOps GitHub
Project Management Azure Boards Projects, Discussions, Issues
Burndown Analytics Azure Boards GitHub Analytics
Code Editing n/a Codespaces and github.dev
Continuous Integration Azure Pipelines GitHub Actions
Deploy & Release Azure Pipelines / Azure Artifacts GitHub Actions / GitHub Packages
Manual testing Azure Test Plans n/a
Code security n/a Advanced Security
Analytics Analytics Service Insights

24. ▪
▪
▪
Source: https://docs.microsoft.com/en-us/azure/devops/boards/github/link-to-from-github?view=azure-devops

25. Commit message Action
Fixed AB#123 Links and transitions the work item to the
"done" state.
Adds a new feature, fixes AB#123. Links and transitions the work item to the
"done" state.
Fixes AB#123, AB#124, and AB#126 Links to Azure Boards work items 123, 124,
and 126. Transitions only the first item, 123 to
the "done" state.
Fixes AB#123, Fixes AB#124, Fixes AB#125 Links to Azure Boards work items 123, 124,
and 126. Transitions all items to the "done"
state.
Fixing multiple bugs: issue #123 and user story AB#234 Links to GitHub issue 123 and Azure
Source: https://docs.microsoft.com/en-us/azure/devops/boards/github/link-to-from-github?view=azure-devops

26. Source: https://docs.microsoft.com/en-us/azure/devops/boards/github/link-to-from-github?view=azure-devops

28. Source: https://docs.microsoft.com/en-us/azure/devops/boards/github/link-to-from-github?view=azure-devops
▪

29. ▪
▪
▪
▪
▪
▪
▪
▪
Source: https://docs.microsoft.com/en-us/devops/devsecops/enable-devsecops-azure-github?view=azure-devops

30. Source: https://docs.microsoft.com/en-us/devops/devsecops/enable-devsecops-azure-github?view=azure-devops

33. ▪
▪
▪
▪
▪
▪
▪
▪
▪
▪
▪

34. Assign Issue
Create Feature
Branch
Develop and
Commit
Push to Remote
Create
Pull-Request
Notify team &
wait for review
Develop and
Commit
Approved?
Merge PR &
delete branch
Finished?

37. ▪
▪

41. ▪
▪

42. ▪
▪
▪
▪
▪

44. ▪
▪
▪
▪

45. Workflow
Event
▪ branch_protection_rule
▪ check_run
▪ check_suite
▪ create
▪ delete
▪ deployment
▪ deployment_status
▪ discussion
▪ discussion_comment
▪ fork
▪ gollum
▪ issue_comment
▪ issues
▪ label
▪ milestone
▪ page_build
▪ project
▪ project_card
▪ project_column
▪ public
▪ pull_request
▪ pull_request_comment (use
issue_comment)
▪ pull_request_review
▪ pull_request_review_comment
▪ pull_request_target
▪ push
▪ registry_package
▪ release
▪ repository_dispatch
▪ schedule
▪ status
▪ watch
▪ workflow_call
▪ workflow_dispatch
▪ workflow_run
Job
Step 1: Run action
Step 2: Run script
Step 3: Run action
Step 4: Run action
Job
Step 1: Run action
Step 2: Run script
Step 3: Run script
Step 4: Run action
Runner
Run actions
Log results
Runner
Run actions
Log results

46. Action
Docker Container
Action
JavaScript Action Composite Action

47. Source: https://docs.github.com/en/actions/using-workflows/reusing-workflows

48. Source: https://docs.github.com/en/actions/using-workflows/reusing-workflows
name: Reusable workflow example
on:
workflow_call:
inputs:
username:
required: true
type: string
secrets:
token:
required: true
jobs:
example_job:
name: Pass input and secrets to my-action
runs-on: ubuntu-latest
steps:
- uses: ./.github/workflows/my-action
with:
username: ${{ inputs.username }}
token: ${{ secrets.token }}
jobs:
call-workflow-1-in-local-repo:
uses: octo-org/this-repo/.github/workflows/workflow-1.yml@172239021f7ba04fe7327647b213799853a9eb89
call-workflow-2-in-local-repo:
uses: ./.github/workflows/workflow-2.yml
call-workflow-in-another-repo:
uses: octo-org/another-repo/.github/workflows/workflow.yml@v1

49. Reusable workflows Composite actions
Cannot call another reusable workflow Can be nested to have up to 10 composite actions in
one workflow
Can use secrets Cannot use secrets
Can use if: conditionals Cannot use if: conditionals
Can be stored as normal YAML files in your project Requires individual folders for each composite action
Can use multiple jobs Cannot use multiple jobs
Each step is logged in real-time Logged as one step even if it contains multiple steps
Source: https://github.blog/2022-02-10-using-reusable-workflows-github-actions/

50. ▪
▪
▪
▪
▪
▪
▪
→
Source: https://docs.github.com/en/actions/using-github-hosted-runners/about-github-hosted-runners and https://docs.github.com/en/actions/hosting-your-own-runners/about-self-hosted-runners

51. ▪
▪
name: CI
on:
push:
branches: [ main ]
jobs:
container-test-job:
runs-on: ubuntu-latest
container:
image: node:14.16
env:
NODE_ENV: development
ports:
- 80
volumes:
- my_docker_volume:/volume_mount
options: --cpus 1
steps:
- name: Check for dockerenv file
run: (ls /.dockerenv && echo Found
dockerenv) || (echo No dockerenv)

52. ▪
▪
→
▪ →
▪
▪

53. Runner
Runner
Pipeline
Job
Job

54. Git
Container
Registry
Container Image
Container Image
CI YAML
CI YAML

56. Build Test Merge
Automatically release
to repository
Automatically deploy
to production

59. 1 2 3 4 5
Lines of Code Security Threats Commits mentioning vulnerabilities

61. Code CI Deploy: Dev/QA
Dev
Deploy: Pre-
Prod
Deploy: Prod
Ops
Sec

62. ▪
▪
▪

63. Supply Chain
• Open-Source
Dependencies
• Alerts on
vulnerabilities
Code
• Deep
scanning for
vulnerabilities
• i.e. XSS / SQL
Injection
Development
Lifecycle
• Higher level
insights
• Across entire
organization

65. Application
Dependency
A
Dependency
A.1
Dependency
A.1.1
Dependency
A.1.2
Dependency
A.1.3
Dependency
A.2
Dependency
A.2.1
Dependency
A.22
Dependency
A.2.3
Dependency
A.3
Dependency
A.3.1
Dependency
A.3.2
Dependency
A.3.3
Dependency
B
Dependency
B.1
Dependency
B.2
Dependency
B.3
Dependency
C
Dependency
C.1
Dependency
C.2
Dependency
C.3

66. Source: https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance, https://blog.sonatype.com/npm-project-used-by-millions-hijacked-in-supply-chain-attack, https://www.bleepingcomputer.com/news/security/big-sabotage-famous-npm-package-
deletes-files-to-protest-ukraine-war/

67. ▪
▪
▪
Application
Dependency
A
Dependency
A.1
Dependency
A.1.1
Dependency
A.1.2
Dependency
A.1.3
Dependency
A.2
Dependency
A.2.1
Dependency
A.22
Dependency
A.2.3
Dependency
A.3
Dependency
A.3.1
Dependency
A.3.2
Dependency
A.3.3
Dependency
B
Dependency
B.1
Dependency
B.2
Dependency
B.3
Dependency
C
Dependency
C.1
Dependency
C.2
Dependency
C.3

68. ▪
▪
▪
▪
▪
Source: https://github.com/advisories

70. ▪
▪

72. ▪
▪

76. 180+
days
MTTR
40 days
MTTR

78. ▪
▪
▪
▪

80. Custom
Community Powered
GitHub Powered
• Security & Vulnerability
• OWASP Top 10
• SANS 25
• Language best practices
• …

81. Source: https://www.microsoft.com/security/blog/2021/02/25/microsoft-open-sources-codeql-queries-used-to-hunt-for-solorigate-activity/