필수 보안 기능 구성
예제 시나리오
최근에 새로운 웹 애플리케이션의 리포지토리를 만들었고 이를 보호하고 싶지만 어디서부터 시작해야 할지 모르겠다고 가정해 보겠습니다.
Copilot Chat은 리포지토리의 보안을 유지하기 위해 가장 필수적인 보안 기능을 구성하는 방법을 안내합니다.
예시 프롬프트
Provide step-by-step instructions on how to enable the following essential security features in my GitHub repository:
* Secret scanning
* Push protection
* Dependabot alerts
* Dependabot security updates
* Branch protection rules, including enforced code reviews before merging
Explain why each feature is important and how it helps secure my repository.
예제 응답
Copilot Chat은 각 보안 기능에 대한 정보를 제공하고 이를 활성화하는 방법을 설명합니다.
Why it's important:
Secret scanning automatically detects accidentally committed secrets (API keys, credentials, etc.) in your repository.
How it helps:
Leaked secrets can allow attackers to access systems, steal data, or cause other harm. Early detection prevents misuse.
How to Enable:
1. Go to your repository on GitHub.
1. Click on Settings.
1. In the left sidebar, click Code security.
1. Scroll to Secret scanning.
1. Ensure "Secret scanning" and "Push protection" are both enabled.
1. If not, click Enable.
보안 정책을 사용하여 보안 기여 및 모범 사례 장려
예제 시나리오
프로젝트를 공개적으로 공유하고, 리포지토리에서 발견된 취약점을 안전하게 보고하는 방법에 대한 사용자 지침을 제공하는 명확한 보안 정책을 수립하고 싶다고 가정해 보겠습니다.
Copilot Chat은 리포지토리의 보안 정책을 작성할 수 있습니다.
예시 프롬프트
Write a GitHub security policy (SECURITY.md) for my repository. The policy should include:
* A clear description of how users can report security vulnerabilities.
* A response timeline for security issues.
* Guidelines for responsible disclosure.
* Supported versions of the software.
Format it as a well-structured Markdown document.
예제 출력
Copilot Chat은 리포지토리에 커밋할 수 있는 SECURITY.md 파일을 생성합니다.
# Security Policy
Thank you for helping to keep this project and its users secure! This document outlines the security policy and responsible disclosure guidelines for this repository.
## Reporting a Vulnerability
If you discover a security vulnerability, please report it by emailing **security@yourdomain.com** or by using the GitHub [security advisories](https://github.com/octocat/octocat-repo/security/advisories) feature.
**Do not** report security vulnerabilities via public GitHub issues or pull requests.
When reporting a vulnerability, please include as much information as possible to help us understand and reproduce the issue:
- A clear description of the vulnerability.
- Steps to reproduce the issue.
- Any relevant logs, screenshots, or proof-of-concept code.
- Your assessment of the potential impact.
## Response Timeline
We take security issues seriously and will respond according to the following guidelines:
- **Acknowledgment:** We will acknowledge receipt of your report within **3 business days**.
- **Investigation:** We will investigate and assess the report as quickly as possible, usually within **7 business days**.
- **Resolution:** Once a fix is identified, we will work to release a security update promptly. We will coordinate with you as needed, especially if you are the reporter.
- **Disclosure:** We will notify the community of the vulnerability and fix via a GitHub security advisory, and credit the reporter as appropriate.
## Responsible Disclosure Guidelines
To protect users of this project, we ask that you:
- Avoid public disclosure of the vulnerability until it has been investigated and patched.
- Allow us a reasonable amount of time to resolve the issue before any public disclosure.
- Provide relevant details privately (see "Reporting a Vulnerability" above).
- Act in good faith and avoid exploiting the vulnerability beyond what is necessary for your report.
We are committed to working with security researchers and the community to ensure a safe and secure software ecosystem.