Skip to content

Implement DevSecOps GHAS Demo Features with Intentional Vulnerabilities #83

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
wants to merge 3 commits into
base: main
Choose a base branch
from
Draft

Implement DevSecOps GHAS Demo Features with Intentional Vulnerabilities #83

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
ec3119e
Initial plan
Copilot Jun 26, 2025
64c1d22
Initial DevSecOps GHAS demo implementation - Fixed .NET version and p…
Copilot Jun 26, 2025
9c23ae1
Add DevSecOps2 page with extended security vulnerability demonstrations
Copilot Jun 26, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions src/webapp01/Pages/DevSecOps.cshtml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -139,6 +139,9 @@
<a href="https://docs.github.com/en/code-security/secret-scanning" class="btn btn-outline-warning btn-sm" target="_blank">
<i class="bi bi-key"></i> Secret Scanning
</a>
<a asp-page="/DevSecOps2" class="btn btn-outline-danger btn-sm">
<i class="bi bi-arrow-right"></i> Advanced Demo
</a>
</div>
</div>
</div>
Expand Down
252 changes: 252 additions & 0 deletions src/webapp01/Pages/DevSecOps2.cshtml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,252 @@
@page
@model DevSecOps2Model
@{
ViewData["Title"] = "Advanced DevSecOps Security Demonstrations";
}

<div class="container">
<div class="row">
<div class="col-12">
<h1 class="display-4 text-danger">@ViewData["Title"]</h1>
<p class="lead">Extended security vulnerability demonstrations for GitHub Advanced Security scanning</p>
<hr />
</div>
</div>

<!-- Alert for TempData messages -->
@if (TempData["SqlResult"] != null)
{
<div class="alert alert-info alert-dismissible fade show" role="alert">
@TempData["SqlResult"]
<button type="button" class="btn-close" data-bs-dismiss="alert" aria-label="Close"></button>
</div>
}

@if (TempData["SqlError"] != null)
{
<div class="alert alert-danger alert-dismissible fade show" role="alert">
@TempData["SqlError"]
<button type="button" class="btn-close" data-bs-dismiss="alert" aria-label="Close"></button>
</div>
}

<div class="row">
<!-- Extended GHAS Features Section -->
<div class="col-lg-8">
<div class="card mb-4">
<div class="card-header bg-danger text-white">
<h3 class="card-title mb-0">
<i class="bi bi-bug"></i> Advanced Security Vulnerabilities Demo
</h3>
</div>
<div class="card-body">
@if (Model.SecurityDemos.Any())
{
<div class="list-group list-group-flush">
@foreach (var demo in Model.SecurityDemos)
{
<div class="list-group-item d-flex align-items-start">
<span class="badge bg-danger rounded-pill me-3 mt-1">VULN</span>
<div>
<p class="mb-1">@demo</p>
<small class="text-muted">Detected by GHAS Code Scanning</small>
</div>
</div>
}
</div>
}
else
{
<p class="text-muted">No vulnerability demonstrations available.</p>
}
</div>
</div>

<!-- Security Tools Overview -->
<div class="card mb-4">
<div class="card-header bg-secondary text-white">
<h3 class="card-title mb-0">Extended GHAS Capabilities</h3>
</div>
<div class="card-body">
<div class="row">
<div class="col-md-6">
<h5><i class="bi bi-shield-exclamation"></i> Advanced Code Analysis</h5>
<p>Deep semantic analysis with custom CodeQL queries for complex vulnerability patterns.</p>

<h5><i class="bi bi-database-exclamation"></i> SQL Injection Detection</h5>
<p>Automated detection of SQL injection vulnerabilities in database queries.</p>
</div>
<div class="col-md-6">
<h5><i class="bi bi-file-earmark-code"></i> Custom Security Rules</h5>
<p>Organization-specific security policies and custom vulnerability detection rules.</p>

<h5><i class="bi bi-cloud-upload"></i> Supply Chain Security</h5>
<p>Comprehensive dependency vulnerability tracking and remediation guidance.</p>
</div>
</div>
</div>
</div>

<!-- Security Metrics -->
<div class="card mb-4">
<div class="card-header bg-info text-white">
<h3 class="card-title mb-0">Security Metrics Dashboard</h3>
</div>
<div class="card-body">
<div class="row text-center">
<div class="col-md-3">
<h4 class="text-danger">@Model.VulnerabilityCount</h4>
<small class="text-muted">Critical Vulnerabilities</small>
</div>
<div class="col-md-3">
<h4 class="text-warning">@Model.SecretCount</h4>
<small class="text-muted">Exposed Secrets</small>
</div>
<div class="col-md-3">
<h4 class="text-primary">@Model.DependencyCount</h4>
<small class="text-muted">Vulnerable Dependencies</small>
</div>
<div class="col-md-3">
<h4 class="text-success">@Model.FixedCount</h4>
<small class="text-muted">Issues Resolved</small>
</div>
</div>
</div>
</div>
</div>

<!-- Advanced Security Demo Tools -->
<div class="col-lg-4">
<!-- SQL Injection Demo Section -->
<div class="card mb-4">
<div class="card-header bg-danger text-white">
<h4 class="card-title mb-0">
<i class="bi bi-database-exclamation"></i> SQL Injection Demo
</h4>
</div>
<div class="card-body">
<p class="text-muted small">
This form demonstrates SQL injection vulnerabilities that should be detected by GHAS.
<strong>DO NOT use in production!</strong>
</p>

<!-- SQL Injection Testing Form -->
<form method="post" asp-page-handler="TestSql" class="mt-3">
<div class="mb-3">
<label for="username" class="form-label">Username Search:</label>
<input type="text" class="form-control" id="username" name="username"
placeholder="Enter username" value="admin">
<div class="form-text text-danger">
⚠️ This query is vulnerable to SQL injection attacks.
</div>
</div>
<button type="submit" class="btn btn-danger btn-sm">
<i class="bi bi-search"></i> Search User
</button>
</form>
</div>
</div>

<!-- CSRF Demo Section -->
<div class="card mb-4">
<div class="card-header bg-warning text-dark">
<h4 class="card-title mb-0">
<i class="bi bi-shield-slash"></i> CSRF Demo
</h4>
</div>
<div class="card-body">
<p class="text-muted small">
This form lacks CSRF protection, demonstrating a common security vulnerability.
</p>

<!-- CSRF Vulnerable Form -->
<form method="post" asp-page-handler="UnsafeAction" class="mt-3">
<div class="mb-3">
<label for="action" class="form-label">Action:</label>
<select class="form-control" id="action" name="action">
<option value="view">View Data</option>
<option value="delete">Delete Record</option>
<option value="update">Update Settings</option>
</select>
</div>
<button type="submit" class="btn btn-warning btn-sm">
<i class="bi bi-play"></i> Execute
</button>
</form>
</div>
</div>

<!-- Advanced Resources -->
<div class="card">
<div class="card-header bg-dark text-white">
<h4 class="card-title mb-0">Advanced Resources</h4>
</div>
<div class="card-body">
<div class="d-grid gap-2">
<a href="https://docs.github.com/en/code-security/code-scanning/using-codeql-code-scanning-with-your-existing-ci-system" class="btn btn-outline-primary btn-sm" target="_blank">
<i class="bi bi-gear"></i> CodeQL CI Integration
</a>
<a href="https://docs.github.com/en/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning" class="btn btn-outline-secondary btn-sm" target="_blank">
<i class="bi bi-key"></i> Custom Secret Patterns
</a>
<a href="https://docs.github.com/en/code-security/dependabot" class="btn btn-outline-success btn-sm" target="_blank">
<i class="bi bi-arrow-repeat"></i> Dependabot Configuration
</a>
<a href="https://docs.github.com/en/code-security/security-advisories" class="btn btn-outline-info btn-sm" target="_blank">
<i class="bi bi-exclamation-triangle"></i> Security Advisories
</a>
<a asp-page="/DevSecOps" class="btn btn-outline-primary btn-sm">
<i class="bi bi-arrow-left"></i> Basic Demo
</a>
</div>
</div>
</div>
</div>
</div>

<!-- Extended Footer Section -->
<div class="row mt-5">
<div class="col-12">
<div class="alert alert-danger" role="alert">
<h5 class="alert-heading">
<i class="bi bi-exclamation-triangle-fill"></i> Security Warning:
</h5>
<p>
This page contains <strong>intentionally vulnerable code</strong> designed for GitHub Advanced Security
demonstrations. The vulnerabilities include SQL injection, CSRF, hardcoded credentials,
and insecure data handling patterns.
</p>
<hr>
<p class="mb-0">
<strong>Never deploy this code to production!</strong> Use it only for learning and testing
GHAS capabilities in a secure, isolated environment.
</p>
</div>
</div>
</div>
</div>

@section Scripts {
<script>
// Auto-dismiss alerts after 6 seconds
setTimeout(function() {
const alerts = document.querySelectorAll('.alert-dismissible');
alerts.forEach(alert => {
const bsAlert = new bootstrap.Alert(alert);
bsAlert.close();
});
}, 6000);

// Add warning confirmation for dangerous actions
document.addEventListener('DOMContentLoaded', function() {
const dangerousForms = document.querySelectorAll('form[asp-page-handler="UnsafeAction"], form[asp-page-handler="TestSql"]');
dangerousForms.forEach(form => {
form.addEventListener('submit', function(e) {
if (!confirm('This action demonstrates a security vulnerability. Continue for demo purposes?')) {
e.preventDefault();
}
});
});
});
</script>
}
Loading
Loading