Merge pull request #16 from githubtraining/new-enabling

Use security tab for enabling alerts

config.yml

@@ -24,7 +24,7 @@ before:
 
 steps:
 
-  # Step 1
+  # Step 1:
   # Learner enables GH pages for game
   # Bot creates issue to report a vulnerability
 

course-details.md

@@ -15,8 +15,8 @@ This course will answer common questions like:
 
 In this course, you’ll learn how to:
 - Enable vulnerable dependency detection for private repositories
-- Detect and fix outdated dependencies with security vulnerabilities
-- Automate the detection of vulnerable dependencies with Dependabot
+- Detect and fix outdated dependencies
+- Automate the detection and fix of vulnerable dependencies with Dependabot
 - Add a security policy with the a `SECURITY.md` file
 - Remove a commit exposing sensitive data in a pull request
 - Keep sensitive files out of your repository by leveraging the use of a `.gitignore` file

responses/00_introduction-issue.md

@@ -38,7 +38,7 @@ This project is centered around a memory game that will be deployed with GitHub
 
 
 1. Click the [**Settings**]({{ repoUrl }}/settings) tab in your repository.
-1. Scroll down to **GitHub Pages**. Select `master` as a **Source**, and click **Save**.
+1. Scroll down to **GitHub Pages** and set your [default branch as the source](https://docs.github.com/en/github/working-with-github-pages/configuring-a-publishing-source-for-your-github-pages-site), usually `main` or `master`.
 
 {% endif %}
 

responses/01_find-vulnerabilities.md

@@ -10,7 +10,7 @@ This repository has some existing dependencies which will need updating to stay
 
 This repository is a Node.js project utilizing NPM. Because of that, [`package.json`]({{ repoUrl }}/blob/master/package.json) defines this repository's dependencies.  For our time together, we'll be focusing on these JavaScript dependencies. Keep in mind that different programming languages may have different dependency manifests. You might work with a `Gemfile`, `Gemfile.lock`, `*.gemspec`, `requirements.txt`, `pipfile.lock`, or other files.
 
-How can we know these dependencies are secure? GitHub monitors a number of reputable [data sources](https://help.github.com/en/github/managing-security-vulnerabilities/about-security-alerts-for-vulnerable-dependencies#data-sources-for-security-alerts) to track vulnerabilities across projects.
+How can we know these dependencies are secure? GitHub monitors a number of reputable [data sources](https://docs.github.com/en/github/managing-security-vulnerabilities/about-alerts-for-vulnerable-dependencies#detection-of-vulnerable-dependencies) to track vulnerabilities across projects.
 
   <hr>
 </details>
@@ -21,21 +21,21 @@ You may notice some alerts from GitHub about this repository. You may get an ema
 
 ![dependency vulnerability alert](https://user-images.githubusercontent.com/9906718/46882979-c275b680-ce50-11e8-9f47-2081daf20b98.png)
 
-GitHub tracks vulnerabilities for a number of [supported languages](https://help.github.com/en/github/visualizing-repository-data-with-graphs/listing-the-packages-that-a-repository-depends-on#supported-languages) and their associated package managers, including RubyGems, NPM, Python PIP, Maven, and Nuget.
+GitHub tracks vulnerabilities for a number of supported languages and their associated [package ecosystems](https://docs.github.com/en/github/visualizing-repository-data-with-graphs/about-the-dependency-graph#supported-package-ecosystems), including RubyGems, NPM, Python PIP, Maven, and .NET.
 
 GitHub receives a notification of a newly-announced vulnerability. Next, we check for repositories that use the affected version of that dependency. We send security alerts to a set of people within those affected repositories. The owners are contacted by default and it's possible to configure specific teams or individuals to get these important notifications.
 
 **GitHub never publicly discloses identified vulnerabilities for any repository.**
 
 ## Step 2: Find this repository's vulnerable dependencies
 
-Use GitHub's security alerts to identify a vulnerable NPM dependency.
+Use Dependabot alerts to identify a vulnerable NPM dependency.
 
 ### :keyboard: Activity: Identify the suggested version update
 
-1. Click the **Insights** tab in your repository.
-2. On the left hand navigation bar, click **Dependency graph**.
-3. Scroll down until you see a yellow bar highlighting the dependency named `debug`, and click on the right hand side of the yellow `debug` section.
+1. Click the **Security** tab in your repository.
+2. On the left hand navigation bar, click **Dependabot alerts**.
+3. Click on the `debug` alert.
 4. Take note of the suggested version.
 5. Comment in this issue with the suggested update version.
 

responses/04_add-dependabot.md

@@ -4,27 +4,27 @@ Manually going through your dependencies for alerts and outdated versions is ted
 
 **Meet Dependabot**
 
-![download](https://user-images.githubusercontent.com/6351798/67623352-53f86200-f7e1-11e9-957d-47bb009f030f.png)
+![Dependabot icon](https://user-images.githubusercontent.com/6351798/67623352-53f86200-f7e1-11e9-957d-47bb009f030f.png)
 
-Dependabot creates pull requests to keep your dependencies secure and up-to-date!
+Dependabot alerts you and creates pull requests to keep your dependencies secure and up-to-date!
 
 ### How does Dependabot work?
 
-Dependabot is the actor for GitHub's [automated security updates](https://help.github.com/en/github/managing-security-vulnerabilities/configuring-automated-security-updates). 
+Dependabot is the actor for GitHub's [automated security updates](https://docs.github.com/en/github/managing-security-vulnerabilities/configuring-github-dependabot-security-updates). 
 
 1. GitHub uses the dependency graph and security alerts to scan your repository and notify you of potential dependency updates
 1. If any dependencies are out-of-date, Dependabot opens a pull request to update each one
 1. If tests pass, and the updated version looks good, you simply merge the pull request
 
-### Configuring automated security updates
+### Configuring Dependabot security updates
 
 You can enable automated security updates for any repository that uses security alerts and the dependency graph. You can disable automated security updates for an individual repository or for all repositories owned by your user account or organization. GitHub will automatically enable automated security updates in every repository that uses security alerts and the dependency graph.
 
-![Screen Shot 2019-10-28 at 1 23 52 PM](https://user-images.githubusercontent.com/6351798/67711794-5c3ed180-f988-11e9-97ba-41451996a2fb.png)
+![screenshot of a Dependabot alert, showing debug dependency](https://user-images.githubusercontent.com/6351798/67711794-5c3ed180-f988-11e9-97ba-41451996a2fb.png)
 
 Here, we have a security alert on the **debug** dependency. Clicking on **debug** will show you the pull request created by Dependabot to update the dependency. We just updated to `2.6.9` but Dependabot noticed we are still outdated.
 
-If you navigate to your [pull requests]({{ repoUrl }}/pulls), you'll notice Dependabot has done its job and is trying to bump, or update, the version of `debug`. Feel free to **approve and merge the pull request**.
+If you navigate to your [closed pull requests]({{ repoUrl }}/pulls?q=is%3Apr+is%3Aclosed), you'll notice Dependabot has done its job and is trying to bump, or update, the version of `debug`.
 
 ## Close this issue when done
 

responses/05_add-security-policy.md

@@ -17,10 +17,12 @@ Just like a `README.md` file, it really depends on your repository and the requi
 ## Step 6: Add a SECURITY.md file
 
 1. Navigate to the [Security]({{ repoUrl }}/network/alerts) tab
-1. Click on Policy located in the left sidebar
+1. Click on Security Policy located in the left sidebar
 1. Click the **Start Setup** button
 1. Commit the template security policy to the new branch as selected `{{ user.username }}-patch-1`
 1. Commit the new file and create the pull request
 
+Alternatively, you could also create a new file in the root directory called `SECURITY.md`, write up a quick security policy, and open a pull request. 
+
 <hr>
 <h3 align="center">I'll respond in your pull request with next steps.</h3>

responses/05_successful-close.md

@@ -1,4 +1,4 @@
-Nice job adding Dependabot.
+Nice job getting to know Dependabot.
 
 
 <hr>

responses/06_good-merge.md

@@ -1,4 +1,6 @@
 Nice, @{{ user.username }}! Go ahead and delete the branch.
 
+You can view your newly published [security policy]({{ repoUrl }}/security/policy) in the Security tab.
+
 <hr>
 <h3 align="center">Find your <a href="{{ url }}">next pull request here.</a></h3>