Skip to content

Commit 742f7f2

Browse files
CopilotCalinL
Copilot
and
CalinL
committed
Add DevSecOps-2649 demo page with GHAS features and intentional vulnerabilities
Co-authored-by: CalinL <10718943+CalinL@users.noreply.github.com>
1 parent e8e5f31 commit 742f7f2

File tree

4 files changed

+633
-1
lines changed

4 files changed

+633
-1
lines changed

src/webapp01/Pages/DevSecOps-2649.cshtml

Lines changed: 358 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,358 @@
1+
@page
2+
@model DevSecOps2649Model
3+
@{
4+
ViewData["Title"] = "DevSecOps Demo 2649 - Latest GHAS Features";
5+
}
6+
7+
<div class="container">
8+
<div class="row">
9+
<div class="col-12">
10+
<h1 class="display-4 text-primary">@ViewData["Title"]</h1>
11+
<p class="lead">Explore the newest GitHub Advanced Security features and security demonstrations</p>
12+
<hr />
13+
</div>
14+
</div>
15+
16+
<!-- Alert for Log Results -->
17+
@if (TempData["LogResult"] != null)
18+
{
19+
<div class="alert alert-warning alert-dismissible fade show" role="alert">
20+
@TempData["LogResult"]
21+
<button type="button" class="btn-close" data-bs-dismiss="alert" aria-label="Close"></button>
22+
</div>
23+
}
24+
25+
@if (TempData["RegexTestResult"] != null)
26+
{
27+
<div class="alert alert-info alert-dismissible fade show" role="alert">
28+
@TempData["RegexTestResult"]
29+
<button type="button" class="btn-close" data-bs-dismiss="alert" aria-label="Close"></button>
30+
</div>
31+
}
32+
33+
<div class="row">
34+
<!-- Main Content Area -->
35+
<div class="col-lg-8">
36+
<!-- Latest GHAS News Section -->
37+
<div class="card mb-4 shadow-sm">
38+
<div class="card-header bg-gradient bg-primary text-white">
39+
<h3 class="card-title mb-0">
40+
<i class="bi bi-newspaper"></i> Latest GitHub Advanced Security Updates (2024-2026)
41+
</h3>
42+
</div>
43+
<div class="card-body">
44+
@if (Model.LatestSecurityNews.Any())
45+
{
46+
<div class="list-group list-group-flush">
47+
@foreach (var news in Model.LatestSecurityNews)
48+
{
49+
<div class="list-group-item border-start border-primary border-4">
50+
<div class="d-flex w-100 justify-content-between">
51+
<h6 class="mb-1 text-primary">
52+
<span class="badge bg-success me-2">NEW</span>
53+
<strong>@news.Title</strong>
54+
</h6>
55+
<small class="text-muted">@news.Date</small>
56+
</div>
57+
<p class="mb-1">@news.Description</p>
58+
<small class="text-muted">Category: @news.Category</small>
59+
</div>
60+
}
61+
</div>
62+
}
63+
else
64+
{
65+
<p class="text-muted">No security updates available.</p>
66+
}
67+
</div>
68+
</div>
69+
70+
<!-- Advanced GHAS Capabilities -->
71+
<div class="card mb-4 shadow-sm">
72+
<div class="card-header bg-dark text-white">
73+
<h3 class="card-title mb-0">
74+
<i class="bi bi-gear-fill"></i> Advanced GHAS Capabilities
75+
</h3>
76+
</div>
77+
<div class="card-body">
78+
<div class="accordion" id="ghasFeatures">
79+
<div class="accordion-item">
80+
<h2 class="accordion-header">
81+
<button class="accordion-button" type="button" data-bs-toggle="collapse" data-bs-target="#collapseCodeQL">
82+
<i class="bi bi-code-slash me-2"></i> CodeQL Analysis
83+
</button>
84+
</h2>
85+
<div id="collapseCodeQL" class="accordion-collapse collapse show" data-bs-parent="#ghasFeatures">
86+
<div class="accordion-body">
87+
<strong>Semantic Code Analysis Engine</strong> - CodeQL treats code as data, allowing complex security queries across your entire codebase.
88+
Supports 15+ languages including C/C++, C#, Java, JavaScript/TypeScript, Python, Go, and Ruby.
89+
<ul class="mt-2">
90+
<li>Custom query development for organization-specific patterns</li>
91+
<li>AI-assisted query generation with GitHub Copilot</li>
92+
<li>Real-time analysis in pull requests</li>
93+
</ul>
94+
</div>
95+
</div>
96+
</div>
97+
<div class="accordion-item">
98+
<h2 class="accordion-header">
99+
<button class="accordion-button collapsed" type="button" data-bs-toggle="collapse" data-bs-target="#collapseSecret">
100+
<i class="bi bi-shield-lock me-2"></i> Advanced Secret Scanning
101+
</button>
102+
</h2>
103+
<div id="collapseSecret" class="accordion-collapse collapse" data-bs-parent="#ghasFeatures">
104+
<div class="accordion-body">
105+
<strong>Multi-layer Secret Detection</strong> - Protects against credential exposure with advanced pattern matching.
106+
<ul class="mt-2">
107+
<li>250+ partner patterns for cloud providers and services</li>
108+
<li>Custom pattern support for proprietary secrets</li>
109+
<li>Push protection to prevent secrets from entering repositories</li>
110+
<li>Historical scanning of entire repository history</li>
111+
<li>Automatic partner notifications for validated leaks</li>
112+
</ul>
113+
</div>
114+
</div>
115+
</div>
116+
<div class="accordion-item">
117+
<h2 class="accordion-header">
118+
<button class="accordion-button collapsed" type="button" data-bs-toggle="collapse" data-bs-target="#collapseDependency">
119+
<i class="bi bi-box-seam me-2"></i> Supply Chain Security
120+
</button>
121+
</h2>
122+
<div id="collapseDependency" class="accordion-collapse collapse" data-bs-parent="#ghasFeatures">
123+
<div class="accordion-body">
124+
<strong>Comprehensive Dependency Management</strong> - Identify and remediate vulnerabilities in your software supply chain.
125+
<ul class="mt-2">
126+
<li>Automated dependency updates via Dependabot</li>
127+
<li>Vulnerability alerts with CVE details and remediation</li>
128+
<li>License compliance tracking</li>
129+
<li>Dependency review in pull requests</li>
130+
<li>SBOM (Software Bill of Materials) generation</li>
131+
</ul>
132+
</div>
133+
</div>
134+
</div>
135+
</div>
136+
</div>
137+
</div>
138+
</div>
139+
140+
<!-- Sidebar with Demos -->
141+
<div class="col-lg-4">
142+
<!-- Vulnerability Demo Card -->
143+
<div class="card mb-4 shadow-sm border-danger">
144+
<div class="card-header bg-danger text-white">
145+
<h4 class="card-title mb-0">
146+
<i class="bi bi-bug-fill"></i> Security Vulnerability Demo
147+
</h4>
148+
</div>
149+
<div class="card-body">
150+
<div class="alert alert-danger" role="alert">
151+
<strong><i class="bi bi-exclamation-triangle-fill"></i> Warning!</strong><br>
152+
This page contains intentionally insecure code for educational purposes.
153+
</div>
154+
155+
<!-- Log Injection Demo -->
156+
<form method="post" asp-page-handler="TestLogForging" class="mb-3">
157+
<div class="mb-3">
158+
<label for="username" class="form-label">
159+
<i class="bi bi-person"></i> Log Forging Demo:
160+
</label>
161+
<input type="text" class="form-control form-control-sm" id="username"
162+
name="username" placeholder="Enter username">
163+
<div class="form-text">
164+
⚠️ Demonstrates log injection vulnerability
165+
</div>
166+
</div>
167+
<button type="submit" class="btn btn-danger btn-sm w-100">
168+
<i class="bi bi-play-fill"></i> Test Log Forging
169+
</button>
170+
</form>
171+
172+
<hr>
173+
174+
<!-- ReDoS Demo -->
175+
<form method="post" asp-page-handler="TestRegexVulnerability" class="mb-3">
176+
<div class="mb-3">
177+
<label for="regexInput" class="form-label">
178+
<i class="bi bi-regex"></i> ReDoS Attack Demo:
179+
</label>
180+
<input type="text" class="form-control form-control-sm" id="regexInput"
181+
name="regexInput" placeholder="Try: aaaaaaaaaaaaaaaaaaa!">
182+
<div class="form-text">
183+
⚠️ Vulnerable regex: <code>^(a+)+$</code>
184+
</div>
185+
</div>
186+
<button type="submit" class="btn btn-warning btn-sm w-100">
187+
<i class="bi bi-clock"></i> Test ReDoS Pattern
188+
</button>
189+
</form>
190+
191+
<hr>
192+
193+
<!-- SQL Injection Info -->
194+
<div class="mt-3">
195+
<h6 class="text-danger">
196+
<i class="bi bi-database-fill-x"></i> Hardcoded Credentials
197+
</h6>
198+
<p class="small text-muted">
199+
This page's backend contains hardcoded database credentials that should be detected by GHAS secret scanning.
200+
</p>
201+
</div>
202+
</div>
203+
</div>
204+
205+
<!-- Statistics Card -->
206+
<div class="card mb-4 shadow-sm">
207+
<div class="card-header bg-info text-white">
208+
<h5 class="card-title mb-0">
209+
<i class="bi bi-graph-up"></i> GHAS Impact Stats
210+
</h5>
211+
</div>
212+
<div class="card-body">
213+
<div class="row text-center">
214+
<div class="col-6 border-end">
215+
<h3 class="text-primary">@Model.VulnerabilitiesDetected</h3>
216+
<small class="text-muted">Vulnerabilities<br>Detected</small>
217+
</div>
218+
<div class="col-6">
219+
<h3 class="text-success">@Model.AlertsResolved</h3>
220+
<small class="text-muted">Alerts<br>Resolved</small>
221+
</div>
222+
</div>
223+
<hr>
224+
<div class="row text-center">
225+
<div class="col-6 border-end">
226+
<h3 class="text-warning">@Model.SecretsFound</h3>
227+
<small class="text-muted">Secrets<br>Found</small>
228+
</div>
229+
<div class="col-6">
230+
<h3 class="text-info">@Model.DependencyAlerts</h3>
231+
<small class="text-muted">Dependency<br>Alerts</small>
232+
</div>
233+
</div>
234+
</div>
235+
</div>
236+
237+
<!-- Resources Card -->
238+
<div class="card shadow-sm">
239+
<div class="card-header bg-secondary text-white">
240+
<h5 class="card-title mb-0">
241+
<i class="bi bi-book"></i> Learning Resources
242+
</h5>
243+
</div>
244+
<div class="card-body">
245+
<div class="d-grid gap-2">
246+
<a href="https://docs.github.com/en/enterprise-cloud@latest/code-security"
247+
class="btn btn-outline-primary btn-sm" target="_blank">
248+
<i class="bi bi-file-text"></i> GHAS Documentation
249+
</a>
250+
<a href="https://github.blog/category/security/"
251+
class="btn btn-outline-info btn-sm" target="_blank">
252+
<i class="bi bi-newspaper"></i> Security Blog
253+
</a>
254+
<a href="https://codeql.github.com/"
255+
class="btn btn-outline-success btn-sm" target="_blank">
256+
<i class="bi bi-code-square"></i> CodeQL Docs
257+
</a>
258+
<a href="https://github.com/advanced-security"
259+
class="btn btn-outline-warning btn-sm" target="_blank">
260+
<i class="bi bi-github"></i> GHAS Resources
261+
</a>
262+
</div>
263+
</div>
264+
</div>
265+
</div>
266+
</div>
267+
268+
<!-- Best Practices Section -->
269+
<div class="row mt-4">
270+
<div class="col-12">
271+
<div class="card shadow-sm">
272+
<div class="card-header bg-success text-white">
273+
<h4 class="card-title mb-0">
274+
<i class="bi bi-check-circle-fill"></i> DevSecOps Best Practices with GHAS
275+
</h4>
276+
</div>
277+
<div class="card-body">
278+
<div class="row">
279+
<div class="col-md-6">
280+
<h6><i class="bi bi-1-circle-fill text-primary"></i> Shift Left Security</h6>
281+
<p class="small">Integrate security scanning early in the development lifecycle, enabling developers to identify and fix vulnerabilities before they reach production.</p>
282+
283+
<h6><i class="bi bi-2-circle-fill text-primary"></i> Automated Security Gates</h6>
284+
<p class="small">Implement automated checks in CI/CD pipelines to block PRs with critical vulnerabilities or exposed secrets.</p>
285+
286+
<h6><i class="bi bi-3-circle-fill text-primary"></i> Developer Training</h6>
287+
<p class="small">Use GHAS findings as teaching moments to improve team security awareness and coding practices.</p>
288+
</div>
289+
<div class="col-md-6">
290+
<h6><i class="bi bi-4-circle-fill text-success"></i> Custom Security Policies</h6>
291+
<p class="small">Create organization-specific CodeQL queries to detect patterns unique to your codebase and compliance requirements.</p>
292+
293+
<h6><i class="bi bi-5-circle-fill text-success"></i> Continuous Monitoring</h6>
294+
<p class="small">Enable real-time security scanning on all branches to catch issues immediately as code is committed.</p>
295+
296+
<h6><i class="bi bi-6-circle-fill text-success"></i> Incident Response</h6>
297+
<p class="small">Leverage security advisories and automated notifications to rapidly respond to newly disclosed vulnerabilities.</p>
298+
</div>
299+
</div>
300+
</div>
301+
</div>
302+
</div>
303+
</div>
304+
305+
<!-- Info Footer -->
306+
<div class="row mt-4 mb-4">
307+
<div class="col-12">
308+
<div class="alert alert-primary" role="alert">
309+
<h5 class="alert-heading">
310+
<i class="bi bi-info-circle-fill"></i> About This Demo Page
311+
</h5>
312+
<p>
313+
This DevSecOps demo page (ID: 2649) showcases the power of GitHub Advanced Security by deliberately
314+
including security anti-patterns and vulnerabilities. When GHAS code scanning is enabled, it will
315+
automatically detect and alert on these issues, demonstrating the platform's capability to identify:
316+
</p>
317+
<ul>
318+
<li><strong>Log Injection/Forging:</strong> Unsanitized user input in log statements</li>
319+
<li><strong>Regular Expression Denial of Service (ReDoS):</strong> Vulnerable regex patterns</li>
320+
<li><strong>Hardcoded Secrets:</strong> Embedded credentials and API keys</li>
321+
<li><strong>SQL Injection:</strong> Unsafe database query construction</li>
322+
<li><strong>Insecure Deserialization:</strong> Vulnerable JSON handling</li>
323+
</ul>
324+
<hr>
325+
<p class="mb-0">
326+
<strong>Note:</strong> All vulnerabilities on this page are intentional and for demonstration purposes only.
327+
Never deploy code with these patterns to production environments.
328+
</p>
329+
</div>
330+
</div>
331+
</div>
332+
</div>
333+
334+
@section Scripts {
335+
<script>
336+
// Auto-dismiss alerts after 8 seconds
337+
setTimeout(function() {
338+
const alerts = document.querySelectorAll('.alert-dismissible');
339+
alerts.forEach(alert => {
340+
if (bootstrap && bootstrap.Alert) {
341+
const bsAlert = new bootstrap.Alert(alert);
342+
bsAlert.close();
343+
}
344+
});
345+
}, 8000);
346+
347+
// Add smooth scrolling to anchor links
348+
document.querySelectorAll('a[href^="#"]').forEach(anchor => {
349+
anchor.addEventListener('click', function (e) {
350+
e.preventDefault();
351+
const target = document.querySelector(this.getAttribute('href'));
352+
if (target) {
353+
target.scrollIntoView({ behavior: 'smooth' });
354+
}
355+
});
356+
});
357+
</script>
358+
}

0 commit comments

Comments
 (0)