securebeats
diff --git a/‎.github/steps/1-step.md‎
Lines changed: 48 additions & 0 deletions b/‎.github/steps/1-step.md‎
Lines changed: 48 additions & 0 deletions
diff --git a/‎.github/steps/2-step.md‎
Lines changed: 75 additions & 0 deletions b/‎.github/steps/2-step.md‎
Lines changed: 75 additions & 0 deletions
diff --git a/‎.github/steps/3-step.md‎
Lines changed: 85 additions & 0 deletions b/‎.github/steps/3-step.md‎
Lines changed: 85 additions & 0 deletions
diff --git a/‎.github/steps/4-step.md‎
Lines changed: 42 additions & 0 deletions b/‎.github/steps/4-step.md‎
Lines changed: 42 additions & 0 deletions
diff --git a/‎.github/steps/x-review.md‎
Lines changed: 19 additions & 0 deletions b/‎.github/steps/x-review.md‎
Lines changed: 19 additions & 0 deletions
diff --git a/‎.github/workflows/0-start-exercise.yml‎
Lines changed: 63 additions & 0 deletions b/‎.github/workflows/0-start-exercise.yml‎
Lines changed: 63 additions & 0 deletions
@@ -0,0 +1,48 @@
+## Step 1: Enable Code Scanning
+
+Let's start by learning a bit about code scanning with [CodeQL](https://codeql.github.com/) and how it helps secure your code.
+
+### What is GitHub Code Scanning?
+
+[Code scanning](https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/about-code-scanning) is part of the [GitHub Advanced Security (GHAS)](https://docs.github.com/en/get-started/learning-about-github/about-github-advanced-security) product suite. It allows development teams to integrate security testing tools directly into the same process you already use for shipping code. It supports many types such as SAST, container, and infrastructure as code. And, the best part is that the results can also live directly in GitHub next to your code. No need for context switching! 🎉
+
+> [!TIP]
+> All features of GitHub Advanced Security are free for public repositories. However, private repositories require a compatible [paid account](https://docs.github.com/en/billing/managing-billing-for-your-products/managing-billing-for-github-advanced-security/about-billing-for-github-advanced-security).
+
+### What is CodeQL?
+
+[CodeQL](https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/about-code-scanning-with-codeql) is a static analysis testing tool that helps you identify security weaknesses such as SQL injection, cross-site scripting, and code injection issues.
+
+Typically CodeQL [queries](https://codeql.github.com/docs/writing-codeql-queries/about-codeql-queries/) are collected into [query suites](https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/about-code-scanning-with-codeql#about-codeql-queries) to cover multiple patterns. When combined well, this can be a very powerful! To help with this, teams of security experts have pre-populated suites for many common scenarios and programming languages.
+
+In many cases, taking advantage of CodeQL is as simple as accepting the default suite, but you can also select the extended suite or customize your own with [GitHub Actions]().
+
+<img width="200" align="right" alt="codeql default configuration box" src="https://github.com/user-attachments/assets/cf5ba96b-98bb-4db5-b743-bd31bceaabac"/>
+
+Here are some of the options the default configuration provides:
+
+- **Languages:** Supported languages will automatically detected in your repository and scanning will be enabled.
+
+- **Query suites:** A list of the available suites of patterns that will be used. The **Default** or **Extended** are provided automatically.
+
+- **Events:** Triggers for running a CodeQL scan. It's common to run before merging and on a schedule for production code.
+
+### ⌨️ Activity: Enable code scanning with CodeQL
+
+1. Open a second tab and navigate to this repository. Ensure you are on the **Code** tab.
+
+1. In the top navigation, select the the **Settings** tab.
+
+1. In the left navigation, fine the **Security** section and select **Advanced Security**.
+
+1. Scroll down and find the **Code scanning** area.
+
+1. In the **CodeQL** setting, click the **Set up** dropdown menu and choose **Default**.
+
+   <img width="400" alt="enable code scanning" src="https://github.com/user-attachments/assets/0d639af3-a8fb-4ea7-8b94-44621a34fc3c"/>
+
+1. Click **Enable CodeQL**.
+
+   > 💡 Tip: This will trigger a first run of CodeQL. You can view the progress in the **Actions** tab.
+
+1. With CodeQL now enabled, Mona will check your progress and share the next steps.
@@ -0,0 +1,75 @@
+## Step 2: Detect Vulnerabilities in a Pull Request
+
+To see how Code Scanning works, we will introduce a vulnerability into the `routes.py` file to trigger an alert.
+
+### ⌨️ Activity: Create a vulnerability
+
+1. In the top navigation, select the **Code** tab.
+
+1. Navigate to the `server` folder and select the `routes.py` file.
+
+1. In the top right of the preview, click the **Edit** button.
+
+   <img width="500" alt="edit button" src="https://github.com/user-attachments/assets/19462cc5-a360-4dae-a97b-ecfd571aa403"/>
+
+1. Navigate to about **line 16** and modify it to the below.
+
+   ```py
+   "SELECT * FROM books WHERE name LIKE '%" + name + "%'"
+   ```
+
+1. Above the editor in the top-right, click the **Commit changes...** button. In the prompt window, select the radio button for the **Create a new branch** option. **DO NOT commit to the main branch.**
+
+1. Click the **Propose changes** option and click **Create pull request**. Use the below branch name.
+
+   ```txt
+   learning-codeql
+   ```
+
+1. On the new page, below the pull request description, press the **Create pull request** button.
+
+### ⌨️ Activity: Review pull request
+
+1. If needed, navigate to the newly created pull request from the previous activity.
+
+1. Scroll to the bottom of the pull request and search for a check named `CodeQL`. This is the analysis job scanning the proposed code changes in the pull request.
+
+   <img width="500" alt="CodeQL check in progress" src="https://github.com/user-attachments/assets/3c1721cf-e18d-4b8a-8feb-615033d53f4c" />
+
+1. If the job is still running, wait a few minutes for it to complete.
+
+1. Search the comments to find the results of the analysis.
+
+   - Notice that the results found a SQL injection vulnerability. It also suggests a fix.
+   - Don't worry about responding to this or resolving the problem (yet).
+
+   <img width="500" alt="code scan results" src="https://github.com/user-attachments/assets/1914befe-e091-4905-bfdc-a5a252a73d2d" />
+
+   > 💡 Tip: Clicking the **Show paths** link will provide additional insights about the alert's data flow from user input (source), through the application, and when it is acted on (sink).
+
+### ⌨️ Activity: View the CodeQL scanning logs
+
+1. In the top navigation, select the **Actions** tab.
+
+1. In the left navigation, select the **CodeQL** entry to filter the workflow runs.
+
+   <img width="500" alt="codeql filter" src="https://github.com/user-attachments/assets/9b66339d-0fba-4a72-be2e-5a0b2b5677b7"/>
+
+1. Click on the workflow run with the name **PR #2** to open a page with more details.
+
+   <img width="500" alt="codeql setup" src="https://github.com/user-attachments/assets/016a729e-3b41-466c-8edf-3d4b41a86b7d"/>
+
+1. Expand the run jobs by clicking **Show all jobs** then click on the **Analyze (python)** entry. The list of all workflow steps is now shown.
+
+   <img height="250" alt="matrix jobs" src="https://github.com/user-attachments/assets/36516944-5728-4f81-82ba-2d60658e88ff" />
+
+   <img height="250" alt="list of codeql jobs" src="https://github.com/user-attachments/assets/418e1729-b406-444f-93b9-3d05d072d7de" />
+
+1. Find the analysis entry and consider reviewing the logs.
+
+   <img width="500" alt="python analysis logs" src="https://github.com/user-attachments/assets/56ac1cf6-8e51-4e1f-b7f5-2dd48a5e5614" />
+
+1. With the pull request started and CodeQL scan finished, Mona will check your progress and share the next steps.
+
+> [!TIP]
+> Check out the [Triage code scanning alerts in pull requests](https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/triaging-code-scanning-alerts-in-pull-requests) page to learn more about integration of code scanning into pull requests.
@@ -0,0 +1,85 @@
+## Step 3: Review and Triage CodeQL Alerts
+
+With our pull request changes now reviewed by CodeQL, we now have some results to view.Let's learn about managing alerts.
+
+GitHub provides a dedicated **Security** tab for securely managing all security related issues. CodeQL saves alerts using the same standard as many other analysis tools with the results showing up under the **Code scanning** area.
+
+<img width="600" alt="image" src="https://github.com/user-attachments/assets/cf4fc6ec-e40e-4df6-8984-b6ec35341737" />
+
+### What information do alerts provide?
+
+The main area of an alert provides the resolution status, affected branch, code location, and classification information like severity and [CVE identification number](https://docs.github.com/en/code-security/security-advisories/working-with-repository-security-advisories/about-repository-security-advisories#cve-identification-numbers).
+
+After the status information, a detailed description of the issue, recommended solutions, and suggested code changes are provided.
+
+<img width="600" alt="additional information" src="https://github.com/user-attachments/assets/9a5aaf3f-e063-4d07-8cdd-6272eec8a411"/>
+
+### What is CWE?
+
+Many of the patterns CodeQL scans for come from existing databases of vulnerabilities, which are categorized for easier understanding.
+
+The **Common Weakness Enumeration (CWE)** is a category system for hardware and software weaknesses and vulnerabilities. Think of it as a way to describe and categorize security issues in an application's source code. For more information on CWEs, see the Wikipedia article [Common Weakness Enumeration](https://en.wikipedia.org/wiki/Common_Weakness_Enumeration).
+
+### ⌨️ Activity: View existing alerts
+
+1. In the top navigation, select the **Security** tab.
+
+1. In the left navigation, find the **Vulnerability alerts** area and select the **Code scanning** option.
+
+   - Notice that there are no alerts. This is expected since the vulnerable code on the pull request has not been merged yet.
+
+1. Return to the recently created pull request. Ignore the failed check and click the **Merge pull request** button.
+
+   <img width="300" alt="merge button" src="https://github.com/user-attachments/assets/cb6fc4a9-c441-4d63-9104-efca6171d262" />
+
+1. Click the **Delete branch**. It is not needed anymore.
+
+1. Wait a moment for CodeQL to analyze the new changes to the `main` branch.
+
+1. Return the the **Security** tab.
+
+1. In the left navigation, notice that the **Code Scanning** option now has a `1` entry next to it, informing us of an open alert.
+
+   <img width="250" alt="code scanning alerts count" src="https://github.com/user-attachments/assets/80f17f92-bd8e-45c4-b471-c60665e116d7" />
+
+### ⌨️ Activity: Review an Alert
+
+1. In the left navigation, select the **Code scanning** option.
+
+1. Click on the open alert.
+
+1. Notice the description, vulnerability description, and a recommended solution.
+
+   <img width="600" alt="alert overview" src="https://github.com/user-attachments/assets/6da3aaa7-c9bb-4046-9372-c137a2d43106" />
+
+1. Notice the audit trail provides the source of the vulnerability and shows that it came from our pull request.
+
+### ⌨️ Activity: Dismiss and Reopen an Alert
+
+1. In the top right, click **Dismiss alert** dropdown.
+
+1. Select the `Used in tests` option and enter the below description.
+
+   ```md
+   This is a playground repository for learning about CodeQL alerts.
+   ```
+
+   <img width="300" alt="dismiss alert options" src="https://github.com/user-attachments/assets/7be133a7-3f20-4bf3-8073-383eb1cce359" />
+
+1. Click the **Dismiss alert** button.
+
+   - The alert state will change to `Dismissed`.
+   - A read-only entry was added with the description to the audit trail showing who closed it.
+
+   <img width="300" alt="audit log entry showing alert dismissed" src="https://github.com/user-attachments/assets/afdd6e11-d4c9-466c-82d4-622c96e039a3" />
+
+1. In the top right, click the **Reopen alert** button.
+
+   - The alert state will change back to `Open`.
+   - A read-only entry was added to the audit trail showing who opened it.
+
+1. With an alert closed and reopened, add a comment to this issue asking Mona to check our progress and share the next steps.
+
+   ```md
+   Hey @professortocat, I've closed an reopened an alert. What is the next step?
+   ```
@@ -0,0 +1,42 @@
+## Step 4: Fix Security Vulnerabilities
+
+Finally, let's use the information provided by CodeQL to better understand the vulnerability and fix it.
+
+### ⌨️ Activity: Resolve an open alert
+
+1. Review the open alert and become familiar with the recommended changes.
+
+1. In the top navigation, select the **Code** tab.
+
+1. Ensure you are on the `main` branch then navigate to the `server` folder and select the `routes.py` file.
+
+1. In the top right of the preview, click the **Edit** button.
+
+   <img width="500" alt="edit button" src="https://github.com/user-attachments/assets/19462cc5-a360-4dae-a97b-ecfd571aa403"/>
+
+1. Navigate to about **line 16** and modify it to the below.
+
+   ```py
+   "SELECT * FROM books WHERE name LIKE %s", name
+   ```
+
+1. Above the editor in the top-right, click the **Commit changes...** button. Use the defaults options to commit directly to the `main` branch.
+
+   - CodeQL will now initiate a another scan.
+
+1. Wait a moment for the **CodeQL** workflow to finish.
+
+1. Return the the **Security** tab and **Code Scanning** area.
+
+   - There should be no open alerts and 1 closed alerts. Nice work! 🎉
+   - Feel free to review the closed alerts, especially the audit trail.
+
+1. Click on **Closed** to show our recently resolved alert.
+
+   <img width="350" alt="image" src="https://github.com/user-attachments/assets/75656267-cd80-47de-82cb-fd50e423f992" />
+
+1. Open our alert and notice the audit trail now includes how the alert was fixed.
+
+   <img width="350" alt="image" src="https://github.com/user-attachments/assets/316e25cb-e8ce-402d-aba8-7cbba9cb0753" />
+
+1. With our alert fixed, Mona will check your progress and share a final review. Nice work! You are all done! 🥳
@@ -0,0 +1,19 @@
+## Review
+
+Great job completing the exercise! You have now:
+
+- Enabled Code Scanning with CodeQL in your repository.
+- Introduced and detected a vulnerability using a pull request.
+- Reviewed and triaged CodeQL alerts.
+- Fixed a security vulnerability and verified the alert was resolved.
+
+By following these steps, you’ve learned how to use GitHub’s security features to keep your codebase safe. Remember, regularly reviewing and addressing security alerts is an important part of maintaining healthy projects.
+
+### What's next?
+
+- [Take another Skills exercise.](https://github.com/skills).
+- Visit the [CodeQL documentation](https://codeql.github.com/docs/) to learn about about customizing your code scanning.
+- Check out the [code scanning documentation](https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/about-code-scanning) to learn about connecting 3rd party scanning tools
+- Explore the [CodeQL CLI & VS Code extension](https://codeql.github.com/docs/codeql-cli/) to run and write custom queries locally.
+- Read the [triaging code scanning alerts guide](https://docs.github.com/en/code-security/code-scanning/managing-code-scanning-alerts/triaging-code-scanning-alerts-in-pull-requests) for best practices on investigating alerts.
+- Learn about [advanced CodeQL query features](https://docs.github.com/en/code-security/codeql-for-vs-code/using-the-advanced-functionality-of-the-codeql-for-vs-code-extension/creating-a-custom-query) to build complex custom analyses.
@@ -0,0 +1,63 @@
+name: Step 0
+
+on:
+  push:
+    branches:
+      - main
+
+permissions:
+  contents: write
+  actions: write
+  issues: write
+
+env:
+  STEP_1_FILE: ".github/steps/1-step.md"
+
+jobs:
+  start_exercise:
+    if: |
+      !github.event.repository.is_template
+    name: Start Exercise
+    uses: skills/exercise-toolkit/.github/workflows/[email protected]
+    with:
+      exercise-title: "Introduction to CodeQL"
+      intro-message: "Learn to use CodeQL to find security vulnerabilities in your code."
+
+  post_next_step_content:
+    name: Post next step content
+    runs-on: ubuntu-latest
+    needs: [start_exercise]
+    env:
+      ISSUE_NUMBER: ${{ needs.start_exercise.outputs.issue-number }}
+      ISSUE_REPOSITORY: ${{ github.repository }}
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Get response templates
+        uses: actions/checkout@v4
+        with:
+          repository: skills/exercise-toolkit
+          path: exercise-toolkit
+          ref: v0.7.1
+
+      - name: Create comment - add step content
+        uses: GrantBirki/[email protected]
+        with:
+          repository: ${{ env.ISSUE_REPOSITORY }}
+          issue-number: ${{ env.ISSUE_NUMBER }}
+          file: ${{ env.STEP_1_FILE }}
+
+      - name: Create comment - watching for progress
+        uses: GrantBirki/[email protected]
+        with:
+          repository: ${{ env.ISSUE_REPOSITORY }}
+          issue-number: ${{ env.ISSUE_NUMBER }}
+          file: exercise-toolkit/markdown-templates/step-feedback/watching-for-progress.md
+
+      - name: Enable next step workflow
+        run: |
+          gh workflow enable "Step 1"
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}