diff --git a/README.md b/README.md index fd6d112..ce71a08 100644 --- a/README.md +++ b/README.md @@ -1,84 +1,100 @@ -# 🔐 SecureTrails - GitHub Security Workshop +# Security Engineering with GitHub Copilot — Workshop -![Duration: 2 Hours](https://img.shields.io/badge/Duration-2%20Hours-blue) -![Level: Intermediate](https://img.shields.io/badge/Level-Intermediate-orange) -![GitHub](https://img.shields.io/badge/GitHub-Security-green) +> **Audience**: Developers and security engineers who want to integrate GitHub Copilot into a real security workflow +> **Total Duration**: ~50 min mandatory + ~30 min optional (see two-track map below) +> **Pre-requisites**: VS Code with GitHub Copilot Chat extension, Python 3.9+, Git CLI, GitHub CLI, GitHub Copilot access, GitHub MCP, Mermaid extension for VS Code. --- -## 📖 The Story +## What You Will Build -Welcome to **SecureTrails**, a popular travel booking and trail management platform! Founded in 2018, our platform connects millions of adventure enthusiasts with curated hiking, trekking, and adventure trails worldwide. +You will secure **SecureTrails** — a deliberately vulnerable Flask trail-booking application — using GitHub's complete security ecosystem. Every vulnerability is detected, analysed, and fixed by directing Copilot through prompts. You do not write code from scratch. -However, our security posture has been neglected. GitHub's Advanced Security scans have recently flagged critical vulnerabilities in our codebase: +The workshop spans the full detection-to-fix cycle: GitHub Advanced Security finds the issues, Copilot CLI explains them, Custom Agents guide remediation, and GitHub Actions enforces the pipeline on every push. -- 🔴 **SQL Injection** in our database query layer -- 🔴 **Broken Authentication** in user permission validation -- 🔴 **Hardcoded Secrets** in environment files -- 🔴 **Vulnerable Dependencies** in our Python packages +**Core capabilities from [`requirement.md`](requirement.md):** -As a newly hired Security Engineer at SecureTrails, your mission is to **audit, analyze, and remediate these vulnerabilities** using GitHub's complete security ecosystem. We need to secure our platform before the peak season when millions of users rely on us. +| Capability | Description | +|---|---| +| **GHAS Detection** | CodeQL, Secret Scanning, and Dependabot scan automatically on every push | +| **Copilot CLI Analysis** | Interactive multi-turn sessions explain vulnerabilities and fix patterns | +| **Custom Agents** | Reusable `.agent.md` guides scoped to each vulnerability class | +| **Actions Enforcement** | Workflow blocks PR merges when critical alerts are open | +| **Copilot Agent Fixes** | Inline edits apply secure patterns across entire files in one step | --- -## 🎯 Workshop Objectives +## Prerequisites -By the end of this 2-hour workshop, you will: - -✅ Understand GitHub's native security features (GHAS, CodeQL, Secret Scanning, Dependabot) -✅ Use Copilot CLI for interactive vulnerability analysis -✅ Create custom security agents to guide fix remediation -✅ Automate security workflows with GitHub Actions -✅ Deploy a complete, repeatable security strategy +- VS Code with GitHub Copilot and GitHub Copilot Chat extensions installed and signed in +- Python 3.9+ and pip +- Git 2.40+ +- GitHub CLI (`gh`) v2.0+ — authenticated with `gh auth login` +- GitHub Copilot access (individual or organisation licence) +- Node.js (for `npx @github/copilot` in Exercises 06–08) --- -## 🛠️ Prerequisites - -### Required Tools - -- **Visual Studio Code** (latest version) -- **GitHub Copilot CLI** (`npx @github/copilot`) -- **GitHub CLI** (`gh` v2.0+) -- **Git** (v2.40+) - -### Authentication +## Workshop Map -- **GitHub Account** (with Copilot access) -- **GitHub Authentication** (`gh auth login`) +> **Two-Track Design**: Complete the **Mandatory Track** first (~50 min), then pick any **Optional** exercises based on time and interest. -### Access +--- -- Clone of **SecureTrails** vulnerable app: `https://github.com/Hemavathi15sg/securetrails-workshop` +### Mandatory Track (~50 minutes) + +| # | Exercise | Copilot Feature | Duration | +|---|----------|----------------|----------| +| 01 | [Prerequisites & Setup](workshop/exercise-01-setup.md) | Copilot Chat | 5 min | +| 02 | [Explore the Vulnerable Application](workshop/exercise-02-explore-app.md) | Copilot Chat (Explain) | 5 min | +| 03 | [Enable GitHub Advanced Security](workshop/exercise-03-enable-ghas.md) | GitHub Native Security | 10 min | +| 04 | [Review CodeQL Findings & Autofix](workshop/exercise-04-codeql-findings.md) | Copilot Autofix | 10 min | +| 05 | [Review Secret Scanning & Dependabot](workshop/exercise-05-secrets-dependabot.md) | GHAS | 5 min | +| 06 | [Copilot CLI Interactive Analysis](workshop/exercise-06-copilot-cli-analysis.md) | Copilot CLI | 10 min | +| 07 | [Create GitHub Issues from Findings](workshop/exercise-07-create-issues.md) | Copilot CLI + GitHub MCP | 5 min | +| 08 | [Create Custom Security Agents](workshop/exercise-08-custom-agents.md) | Copilot Custom Agents | 10 min | +| 09 | [GitHub Actions Security Pipeline](workshop/exercise-09-actions-pipeline.md) | Copilot Agent (Agent Mode) | 10 min | +| 10 | [Fix SQL Injection with Copilot](workshop/exercise-10-fix-sql-injection.md) | Copilot Agent (Inline) | 10 min | +| 11 | [Fix Broken Authentication](workshop/exercise-11-fix-auth.md) | Copilot Agent + Chat | 10 min | +| 12 | [Verify Fixes & Complete the Cycle](workshop/exercise-12-verify-complete.md) | Copilot Chat + GHAS | 5 min | --- -## 📚 Workshop Exercises +### Optional Track (~30 minutes — pick any, in any order) + +| # | Exercise | Copilot Feature | Duration | Best After | +|---|----------|----------------|----------|------------| +| 13 | [Fix XSS Vulnerabilities](workshop/exercise-13-fix-xss.md) | Copilot Agent + Chat | 10 min | Ex 04 | +| 14 | [Fix Hardcoded Secrets](workshop/exercise-14-fix-secrets.md) | Copilot Agent + Chat | 5 min | Ex 05 | +| 15 | [Update Vulnerable Dependencies](workshop/exercise-15-update-dependencies.md) | Copilot Chat + Dependabot | 5 min | Ex 05 | +| 16 | [Write Security Tests](workshop/exercise-16-security-tests.md) | Copilot Agent (Test Gen) | 10 min | Ex 10 | +| 17 | [Security Policy & Compliance Docs](workshop/exercise-17-security-docs.md) | Copilot Chat (Docs) | 10 min | Ex 12 | -| # | Exercise | Duration | Level | Focus | What You'll Do | -|---|----------|----------|-------|-------|---| -| 0 | [Prerequisites & Setup](./docs/0-prereqs.md) | 10 min | ⭐ | Setup | Install tools, authenticate with GitHub | -| 1 | [GitHub NATIVE Security (GHAS)](./docs/1-github-native-security.md) | 20 min | ⭐⭐ | Detection | Enable GHAS, review CodeQL findings, secrets, Dependabot alerts | -| 2 | [Copilot CLI - Interactive Analysis](./docs/2-copilot-cli-interactive.md) | 20 min | ⭐⭐⭐ | Analysis | Use Copilot CLI to analyze vulnerabilities, create GitHub issues | -| 3 | [Create Custom Agents](./docs/3-custom-agents-creation.md) | 20 min | ⭐⭐⭐⭐ | Documentation | Build fix guides using Copilot CLI `/agents` system | -| 4 | [GitHub Actions Integration](./docs/4-github-actions-orchestration.md) | 20 min | ⭐⭐⭐⭐ | Automation | Orchestrate GHAS → Issues → Agents → Workflows | -| 5 | [Real-World Ecosystem](./docs/5-real-world-ecosystem.md) | 20 min | ⭐⭐⭐⭐⭐ | Deployment | Deploy complete security strategy end-to-end | +> Exercises 13–15 fix vulnerabilities not covered in the mandatory track. Complete at least one of 13–15 before 16 to have a fixed codebase to write tests against. --- -## 📚 Related Resources +## Key GitHub Copilot Features Covered -- [GitHub Advanced Security Docs](https://docs.github.com/en/enterprise-cloud@latest/code-security) -- [Copilot CLI Documentation](https://docs.github.com/en/copilot/github-copilot-cli/about-github-copilot-cli) -- [GitHub CodeQL](https://codeql.github.com/) -- [Dependabot Alerts](https://docs.github.com/en/code-security/dependabot) -- [Secret Scanning](https://docs.github.com/en/code-security/secret-scanning) +| Feature | Description | +|---------|-------------| +| **Copilot Chat (Explain)** | Conversational code exploration and attack surface mapping | +| **Copilot Autofix** | One-click patch generation directly on GHAS alert pages | +| **Copilot CLI (Interactive)** | Multi-turn terminal sessions for vulnerability deep-dives | +| **Copilot Agent (Inline)** | Applies secure coding patterns across entire files | +| **Custom Agents** | Reusable `.agent.md` files scoped to specific vulnerability classes | --- -**Ready to secure SecureTrails?** +## Getting Started -## [→ Start with Exercise 0: Prerequisites & Setup](./docs/0-prereqs.md) +1. Clone the repository: `git clone https://github.com/Hemavathi15sg/securetrails-workshop.git` +1. Open in VS Code: `code securetrails-workshop` +1. Ensure **GitHub Copilot** and **GitHub Copilot Chat** extensions are installed and signed in +1. Open the Copilot Chat panel (`Ctrl+Alt+I`) +1. Start with [Exercise 01](workshop/exercise-01-setup.md) --- +> **Instructor Note**: Each exercise has an `` comment in the markdown source. Exercises are designed so attendees never write code — they copy **prompts** and let Copilot generate the output. + diff --git a/workshop/exercise-01-setup.md b/workshop/exercise-01-setup.md new file mode 100644 index 0000000..524e1d0 --- /dev/null +++ b/workshop/exercise-01-setup.md @@ -0,0 +1,83 @@ +# Exercise 01 — Prerequisites & Setup + +**Duration**: 5 minutes +**Copilot Feature**: GitHub Copilot Chat +**Goal**: Verify all tools are installed and the SecureTrails repository is open and ready. + +--- + +## Background + +This workshop secures **SecureTrails**, a deliberately vulnerable Flask trail-booking app. You will not write code — you will direct GitHub Copilot to detect and fix security vulnerabilities across the full SDLC. This exercise confirms your environment is ready before any security work begins. + +--- + +## Step 1 — Verify Required Tools + +Open a terminal and run: + +```bash +code --version +python --version +git --version +gh --version +``` + +> **Tip**: If any tool is missing — VS Code: code.visualstudio.com | Python: python.org | Git: git-scm.com | GitHub CLI: cli.github.com + +--- + +## Step 2 — Authenticate GitHub CLI + +```bash +gh auth login +``` + +Select **HTTPS** and **Login with a web browser**. Verify: + +```bash +gh auth status +``` + +Expected: `Logged in to github.com as ` + +--- + +## Step 3 — Clone & Open the Repository + +```bash +git clone https://github.com/Hemavathi15sg/securetrails-workshop.git +cd securetrails-workshop +code . +``` + +--- + +## Step 4 — Open Copilot Chat + +In VS Code press `Ctrl+Alt+I` to open the Copilot Chat panel. Confirm it is signed in. + +Copy and paste the following prompt into the chat: + +``` +I just opened the securetrails-workshop repository. Summarize the purpose of this Flask application and list the top files I should review for a security audit. +``` + +--- + +## Verify + +- [ ] All four tools print a version number +- [ ] `gh auth status` shows your GitHub account +- [ ] Repository is open in VS Code +- [ ] Copilot Chat responds with an app summary + +--- + +## Key Takeaway + +> A verified environment with authenticated GitHub CLI and Copilot Chat is the prerequisite for every security exercise that follows. + +--- + +**Next**: [Exercise 02 — Explore the Vulnerable Application](exercise-02-explore-app.md) diff --git a/workshop/exercise-02-explore-app.md b/workshop/exercise-02-explore-app.md new file mode 100644 index 0000000..68f6794 --- /dev/null +++ b/workshop/exercise-02-explore-app.md @@ -0,0 +1,66 @@ +# Exercise 02 — Explore the Vulnerable Application + +**Duration**: 5 minutes +**Copilot Feature**: Copilot Chat (Explain) +**Goal**: Use Copilot to understand what SecureTrails does and identify its attack surface before scanning. + +--- + +## Background + +Before running any security tools, a security engineer reads the codebase to understand what it does. Copilot Chat's `/explain` capability lets you do this conversationally — no line-by-line reading required. This exercise maps the attack surface so later findings make sense in context. + +--- + +## Step 1 — Understand the Application Structure + +Open `apps/securetrails-vulnerable/app.py` in the editor. Then open Copilot Chat and paste: + +``` +Explain what this Flask application does. List every route, what data each route reads or writes, and what user inputs are accepted. Focus on anything that touches the database or renders user-supplied data. +``` + +--- + +## Step 2 — Identify the Attack Surface + +In Copilot Chat, paste: + +``` +Based on app.py, database.py, and the templates folder, list all the places where: +1. User input is used in database queries +2. User-supplied content is rendered in HTML +3. Credentials or secrets appear in source code +4. Session or authentication checks are performed + +Format each finding as: File | Line (approx) | Risk type +``` + +--- + +## Step 3 — Review the Dependencies + +Open `apps/securetrails-vulnerable/requirements.txt` in the editor. Paste into Copilot Chat: + +``` +Review this requirements.txt. For each package, tell me the pinned version and whether that version has any known critical or high CVEs. List packages that should be updated immediately. +``` + +--- + +## Verify + +- [ ] Copilot identified at least 3 routes that accept user input +- [ ] Copilot flagged at least one location where user input touches SQL +- [ ] Copilot flagged at least one outdated dependency +- [ ] You can name the two main vulnerability types present in this app + +--- + +## Key Takeaway + +> Copilot Chat turns codebase exploration into a conversation — you understand the attack surface in minutes instead of hours. + +--- + +**Next**: [Exercise 03 — Enable GitHub Advanced Security](exercise-03-enable-ghas.md) diff --git a/workshop/exercise-03-enable-ghas.md b/workshop/exercise-03-enable-ghas.md new file mode 100644 index 0000000..364c200 --- /dev/null +++ b/workshop/exercise-03-enable-ghas.md @@ -0,0 +1,78 @@ +# Exercise 03 — Enable GitHub Advanced Security + +**Duration**: 10 minutes +**Copilot Feature**: GitHub Native Security (GHAS) +**Goal**: Enable CodeQL, Secret Scanning, Dependabot, and Code Quality on the SecureTrails repository. + +--- + +## Background + +GitHub Advanced Security (GHAS) is a set of built-in scanning services that run on GitHub's servers — no custom tooling required. Enabling it gives you automated detection of code vulnerabilities, hardcoded secrets, and vulnerable dependencies on every push. This exercise activates GHAS so you have real findings to work with. + +--- + +## Step 1 — Navigate to Security Settings + +In your GitHub repository, click the **Security** tab, then go to **Settings → Code Security**. + +Enable the following: + +- **Dependabot alerts** — ON +- **Dependabot security updates** — ON +- **Code scanning (CodeQL)** — ON (use Default setup) +- **Secret scanning** — ON +- **Push protection** — ON + +> **Tip**: Push protection blocks commits that contain secrets before they ever reach the repository. + +--- + +## Step 2 — Enable Code Quality Preview + +In Settings, scroll to **Code quality (preview)** and enable it. This adds maintainability and bug-detection signals alongside security findings. + +--- + +## Step 3 — Confirm Scanning Has Started + +After enabling, navigate to **Security → Code scanning**. Within 2–5 minutes you should see the first CodeQL scan running or completed. + +> **Note**: If this is a fresh fork, push any small change (e.g., add a blank line to README) to trigger the first scan. + +```bash +echo "" >> README.md +git add README.md +git commit -m "chore: trigger initial GHAS scan" +git push +``` + +--- + +## Step 4 — Ask Copilot What GHAS Provides + +In Copilot Chat, paste: + +``` +Explain what GitHub Advanced Security (GHAS) scans for automatically. What is CodeQL, what is Secret Scanning, and what is Dependabot? How are they different from running a linter? +``` + +--- + +## Verify + +- [ ] Dependabot alerts are enabled +- [ ] CodeQL scanning is enabled (Default setup) +- [ ] Secret scanning and push protection are ON +- [ ] Code scanning tab shows a scan running or completed +- [ ] You can explain the difference between CodeQL and Dependabot + +--- + +## Key Takeaway + +> Enabling GHAS takes under five minutes and gives your repository continuous, automated security scanning without writing a single line of custom tooling. + +--- + +**Next**: [Exercise 04 — Review CodeQL Findings & Autofix](exercise-04-codeql-findings.md) diff --git a/workshop/exercise-04-codeql-findings.md b/workshop/exercise-04-codeql-findings.md new file mode 100644 index 0000000..fcbb365 --- /dev/null +++ b/workshop/exercise-04-codeql-findings.md @@ -0,0 +1,89 @@ +# Exercise 04 — Review CodeQL Findings & Autofix + +**Duration**: 10 minutes +**Copilot Feature**: Copilot Autofix (GHAS) +**Goal**: Read CodeQL scan results, understand each finding, and use Copilot Autofix to generate a patch for one vulnerability. + +--- + +## Background + +CodeQL performs semantic code analysis — it understands data flow, not just text patterns. It finds vulnerabilities like SQL injection even when the tainted data travels through multiple functions before reaching a dangerous sink. Copilot Autofix extends CodeQL by generating a ready-to-apply code patch directly on the alert page. + +--- + +## Step 1 — Open Code Scanning Alerts + +In GitHub, go to **Security → Code scanning alerts**. You will see a list like: + +| Alert | Severity | File | +|-------|----------|------| +| SQL injection | Critical | app.py | +| Cross-site scripting | High | templates/trails.html | +| Weak password hashing | Medium | app.py | + +Click on the **SQL injection** alert to open its detail view. + +--- + +## Step 2 — Read the Finding Detail + +On the alert page, review: +- **Rule**: The CWE or rule ID +- **Location**: Exact file and line +- **Data flow path**: How user input reaches the dangerous sink + +Copy the alert description text, then paste into Copilot Chat: + +``` +Here is a CodeQL finding from our SecureTrails app: [paste alert description]. +Explain in plain English what an attacker could do with this vulnerability and what the correct fix pattern is. +``` + +--- + +## Step 3 — Use Copilot Autofix + +On the same alert page, click **Generate fix**. Copilot Autofix will: + +1. Propose a code patch +2. Show a diff of before/after changes +3. Explain why the fix is safe + +Review the diff. If it looks correct, click **Commit fix** to apply it directly. + +> **Tip**: Do NOT accept a fix blindly. Read the diff and confirm it does not break any intentional logic. + +--- + +## Step 4 — Check Remaining Alerts + +Scan through the remaining Code scanning alerts and note: + +- How many are Critical vs High vs Medium? +- Which files appear most often? + +In Copilot Chat, paste: + +``` +I have CodeQL alerts for SQL injection, XSS, and weak password hashing in a Flask app. Rank these by real-world exploitability and suggest which to fix first. +``` + +--- + +## Verify + +- [ ] Code scanning alerts page shows at least 2 findings +- [ ] You opened and read the SQL injection alert detail +- [ ] Copilot Autofix generated a patch for at least one alert +- [ ] You can explain what "data flow analysis" means vs pattern matching + +--- + +## Key Takeaway + +> CodeQL finds vulnerabilities that pattern-matching tools miss; Copilot Autofix closes the loop by delivering a reviewable patch on the same page. + +--- + +**Next**: [Exercise 05 — Review Secret Scanning & Dependabot](exercise-05-secrets-dependabot.md) diff --git a/workshop/exercise-05-secrets-dependabot.md b/workshop/exercise-05-secrets-dependabot.md new file mode 100644 index 0000000..7cffaab --- /dev/null +++ b/workshop/exercise-05-secrets-dependabot.md @@ -0,0 +1,77 @@ +# Exercise 05 — Review Secret Scanning & Dependabot + +**Duration**: 5 minutes +**Copilot Feature**: GitHub Native Security (GHAS) +**Goal**: Identify hardcoded secrets and vulnerable dependencies detected by GitHub's built-in scanners. + +--- + +## Background + +Secret Scanning detects credential patterns (API keys, tokens, passwords) committed to the repository. Dependabot cross-references your `requirements.txt` against a public CVE database. Both run automatically as part of GHAS — this exercise reads their output and creates a tracking issue for remediation. + +--- + +## Step 1 — Review Secret Scanning Alerts + +In GitHub, go to **Security → Secret scanning**. You will see alerts for secrets committed in the codebase. + +Common findings for SecureTrails: +- `config.py` — hardcoded `SECRET_KEY` +- `config.py` — hardcoded database password + +For each alert, note the **secret type**, **file**, and **line**. + +> **Tip**: Even if a secret is in a private repo, treat it as compromised and rotate it immediately. + +--- + +## Step 2 — Review Dependabot Alerts + +Go to **Security → Dependabot alerts**. For each vulnerable package, note: +- Package name and pinned version +- CVE identifier +- Severity (Critical / High / Medium) +- Patched version available + +SecureTrails uses intentionally old versions — you should see alerts for Flask, requests, and SQLAlchemy. + +--- + +## Step 3 — Create a Tracking Issue with Copilot + +Open Copilot Chat and paste: + +``` +I need to create a consolidated GitHub issue to track all GHAS findings for the SecureTrails repository. +Include sections for: CodeQL findings (SQL injection, XSS, weak hashing), Secret scanning (hardcoded SECRET_KEY and DB password), and Dependabot (Flask, requests, SQLAlchemy CVEs). +Format it as a GitHub issue body with checkboxes for each item and a priority label suggestion. +``` + +Use the generated body to create the issue: + +```bash +gh issue create \ + --title "[SECURITY] GHAS findings — SecureTrails remediation tracker" \ + --label "security" \ + --body "" +``` + +--- + +## Verify + +- [ ] Secret scanning shows at least one hardcoded credential alert +- [ ] Dependabot shows at least two vulnerable package alerts +- [ ] Tracking issue created in the repository with finding checkboxes +- [ ] You know the patched versions for Flask and requests + +--- + +## Key Takeaway + +> Secret Scanning and Dependabot provide zero-effort detection; a single consolidated issue keeps all findings visible and prioritised for the team. + +--- + +**Next**: [Exercise 06 — Copilot CLI Interactive Analysis](exercise-06-copilot-cli-analysis.md) diff --git a/workshop/exercise-06-copilot-cli-analysis.md b/workshop/exercise-06-copilot-cli-analysis.md new file mode 100644 index 0000000..7c00923 --- /dev/null +++ b/workshop/exercise-06-copilot-cli-analysis.md @@ -0,0 +1,79 @@ +# Exercise 06 — Copilot CLI Interactive Analysis + +**Duration**: 10 minutes +**Copilot Feature**: Copilot CLI (Interactive Mode) +**Goal**: Use Copilot CLI's interactive shell to perform a conversational deep-dive on the vulnerabilities GHAS detected. + +--- + +## Background + +GHAS tells you *what* was found. Copilot CLI tells you *why it matters* and *how to fix it* — through a multi-turn conversation. Unlike one-shot prompts, the interactive shell lets you ask follow-up questions, explore trade-offs, and get architecture-specific guidance. This exercise drills into the SQL injection finding from Exercise 04. + +--- + +## Step 1 — Launch Copilot CLI + +Open a terminal and start the interactive session: + +```bash +npx @github/copilot -i "I am reviewing a Flask web application called SecureTrails. +GitHub CodeQL found a SQL injection vulnerability in app.py. +User input from request.args is concatenated directly into a SQL query string. +Tell me: (1) how an attacker would exploit this, (2) the exact fix pattern for Flask + SQLite, and (3) how to write a test that proves the fix works." +``` + +--- + +## Step 2 — Follow Up on Fix Trade-offs + +Within the same session, continue: + +``` +What is the difference between using parameterized queries vs using an ORM like SQLAlchemy for this fix? +Which should we use for a small team with an existing codebase and why? +``` + +--- + +## Step 3 — Expand to Auth Vulnerability + +Continue in the same session: + +``` +GHAS also flagged that our DELETE /booking/ endpoint does not verify that the logged-in user owns the booking. +A user can delete anyone's booking by changing the URL parameter. +What is this vulnerability called, what is its OWASP category, and what is the Flask pattern to fix it? +``` + +--- + +## Step 4 — Generate a Remediation Summary + +Continue in the same session: + +``` +Summarise all three vulnerabilities we discussed (SQL injection, broken object-level authorisation, weak hashing) in a table with columns: Vulnerability | OWASP category | Severity | Fix pattern | Estimated fix time. +``` + +Copy the table output — you will use it in the next exercise. + +--- + +## Verify + +- [ ] Copilot CLI interactive session started successfully +- [ ] Copilot explained how SQL injection is exploited step by step +- [ ] Copilot recommended parameterized queries with a code example +- [ ] Copilot named the auth issue as BOLA/IDOR and gave a Flask fix pattern +- [ ] You have a remediation summary table + +--- + +## Key Takeaway + +> Copilot CLI's interactive mode gives you a security consultant in your terminal — multi-turn, context-aware, and specific to your stack. + +--- + +**Next**: [Exercise 07 — Create GitHub Issues from Findings](exercise-07-create-issues.md) diff --git a/workshop/exercise-07-create-issues.md b/workshop/exercise-07-create-issues.md new file mode 100644 index 0000000..2f187ca --- /dev/null +++ b/workshop/exercise-07-create-issues.md @@ -0,0 +1,67 @@ +# Exercise 07 — Create GitHub Issues from Findings + +**Duration**: 5 minutes +**Copilot Feature**: Copilot CLI + GitHub MCP +**Goal**: Use Copilot CLI to create well-formed GitHub issues for each critical vulnerability, linked to the owning developer. + +--- + +## Background + +Security findings have no value until a developer is assigned to fix them. GitHub Issues are the handoff mechanism between detection (GHAS / Copilot CLI) and remediation. Copilot CLI can create issues directly through GitHub's MCP integration — including title, labels, body, and assignee — without leaving the terminal. + +--- + +## Step 1 — Create Issue for SQL Injection + +Open a terminal and paste: + +```bash +npx @github/copilot -i "Create a GitHub issue in repository Hemavathi15sg/securetrails-workshop with: +- Title: fix(security): SQL Injection — parameterize database queries in app.py +- Labels: security, critical, bug +- Body: Include the vulnerability location (app.py, search_trails function), the attack scenario, the required fix (parameterized queries), and a checklist of done criteria." +``` + +Note the issue number returned (e.g., `#12`). + +--- + +## Step 2 — Create Issue for Broken Authentication + +```bash +npx @github/copilot -i "Create a GitHub issue in repository Hemavathi15sg/securetrails-workshop with: +- Title: fix(security): Broken Object-Level Auth — verify ownership in booking endpoints +- Labels: security, critical, bug +- Body: Include the vulnerable endpoint (DELETE /booking/), the attack scenario (user can delete any booking by changing the URL), and the required fix (check session user_id matches booking owner)." +``` + +--- + +## Step 3 — Create Issue for Hardcoded Secrets + +```bash +npx @github/copilot -i "Create a GitHub issue in repository Hemavathi15sg/securetrails-workshop with: +- Title: fix(security): Hardcoded secrets — move credentials to environment variables +- Labels: security, critical +- Body: List config.py as location, describe the risk of credentials in version control, and list the fix steps: move to .env, add .env to .gitignore, read via os.environ." +``` + +--- + +## Verify + +- [ ] Three issues created with labels `security` and `critical` +- [ ] Each issue has a clear vulnerability description and fix checklist +- [ ] Issues appear in the repository Issues tab with correct labels +- [ ] You can navigate to each issue by its URL + +--- + +## Key Takeaway + +> Copilot CLI can translate raw security findings into developer-ready GitHub issues in seconds, bridging the gap between detection and remediation. + +--- + +**Next**: [Exercise 08 — Create Custom Security Agents](exercise-08-custom-agents.md) diff --git a/workshop/exercise-08-custom-agents.md b/workshop/exercise-08-custom-agents.md new file mode 100644 index 0000000..5abdfdf --- /dev/null +++ b/workshop/exercise-08-custom-agents.md @@ -0,0 +1,84 @@ +# Exercise 08 — Create Custom Security Agents + +**Duration**: 10 minutes +**Copilot Feature**: Copilot Custom Agents (`.github/agents/`) +**Goal**: Create two custom `.agent.md` files that guide developers through specific vulnerability remediations. + +--- + +## Background + +A Copilot custom agent is a reusable instruction set stored as a `.agent.md` file in `.github/agents/`. When a developer opens one, Copilot provides context-aware, opinionated guidance scoped to that agent's purpose. For security, this means each vulnerability class gets its own expert guide that any developer can invoke without needing to know the full security context. + +--- + +## Step 1 — Create the SQL Injection Remediation Agent + +In Copilot CLI, paste: + +```bash +npx @github/copilot -i "Create a custom Copilot agent file for SQL injection remediation in our Flask + SQLite app. +The agent should be saved as .github/agents/sql-injection-fix.agent.md and include: +- A description of the vulnerability in SecureTrails context +- Step-by-step fix instructions using parameterized queries +- A before/after code example specific to the search_trails function in app.py +- How to test the fix using curl with injection payloads +- Common mistakes to avoid" +``` + +Confirm the file was created at `.github/agents/sql-injection-fix.agent.md`. + +--- + +## Step 2 — Create the Auth Fix Agent + +```bash +npx @github/copilot -i "Create a custom Copilot agent file for broken object-level authorisation in our Flask app. +Save it as .github/agents/auth-fix.agent.md and include: +- Explanation of BOLA (Broken Object-Level Authorisation) in plain language +- Flask decorator pattern to check session user_id matches resource owner_id +- Before/after code example for the DELETE /booking/ endpoint +- Test cases: verify that user A cannot delete user B's booking" +``` + +--- + +## Step 3 — Select and Test the SQL Agent + +In Copilot CLI, activate the agent: + +```bash +npx @github/copilot -i "Use the agent at .github/agents/sql-injection-fix.agent.md. +I am fixing app.py line 47. Walk me through the exact steps." +``` + +Confirm the agent responds with guidance that references SecureTrails-specific details. + +--- + +## Step 4 — Commit the Agents + +```bash +git add .github/agents/ +git commit -m "feat: add security remediation agents for SQL injection and auth" +git push +``` + +--- + +## Verify + +- [ ] `.github/agents/sql-injection-fix.agent.md` exists in the repository +- [ ] `.github/agents/auth-fix.agent.md` exists in the repository +- [ ] The SQL agent includes a before/after code example +- [ ] Activating the agent in Copilot CLI returns SecureTrails-specific guidance + +--- + +## Key Takeaway + +> Custom agents turn specialist security knowledge into a reusable, committable asset — any developer can follow expert guidance without escalating to the security team. + +--- + +**Next**: [Exercise 09 — GitHub Actions Security Pipeline](exercise-09-actions-pipeline.md) diff --git a/workshop/exercise-09-actions-pipeline.md b/workshop/exercise-09-actions-pipeline.md new file mode 100644 index 0000000..1b2f430 --- /dev/null +++ b/workshop/exercise-09-actions-pipeline.md @@ -0,0 +1,81 @@ +# Exercise 09 — GitHub Actions Security Pipeline + +**Duration**: 10 minutes +**Copilot Feature**: Copilot Agent (Agent Mode) +**Goal**: Use Copilot to generate a GitHub Actions workflow that automates GHAS result checking and issue creation on every push. + +--- + +## Background + +GitHub Actions closes the last mile of the security loop: it reads GHAS findings after each push, creates or updates issues linked to the relevant agent guides, and blocks pull request merges when critical vulnerabilities are present. Using Copilot in Agent Mode, you generate the complete workflow file without writing YAML by hand. + +--- + +## Step 1 — Ask Copilot to Design the Workflow + +Open Copilot Chat (`Ctrl+Alt+I`) in Agent Mode and paste: + +``` +Create a GitHub Actions workflow file at .github/workflows/security-pipeline.yml that: +1. Triggers on push to main and on pull_request targeting main +2. Waits for CodeQL results, then queries the GitHub Code Scanning API for open alerts +3. For each CRITICAL alert, creates a GitHub issue linking to the matching agent guide in .github/agents/ +4. Fails the workflow (exit 1) if any CRITICAL alert is found, blocking the PR merge +5. Uses GITHUB_TOKEN for authentication — no secrets required +``` + +--- + +## Step 2 — Review and Save the Generated Workflow + +Copilot will generate a `.yml` file. Review it for: +- Correct `on:` triggers +- `permissions: security-events: read` and `issues: write` +- The API call to `/repos/{owner}/{repo}/code-scanning/alerts?severity=critical&state=open` +- The `gh issue create` command with agent guide link in the body + +Save the file to `.github/workflows/security-pipeline.yml`. + +--- + +## Step 3 — Commit and Trigger the Workflow + +```bash +git add .github/workflows/security-pipeline.yml +git commit -m "feat: add automated security pipeline workflow" +git push +``` + +Navigate to **Actions** tab in GitHub and watch the workflow run. + +--- + +## Step 4 — Verify Pipeline Behaviour + +In Copilot Chat, paste: + +``` +Our security pipeline workflow just ran and found 2 critical alerts. It should have created issues and failed the build. +Looking at .github/workflows/security-pipeline.yml, explain what each job step does and confirm the workflow is correctly blocking merges. +``` + +--- + +## Verify + +- [ ] `.github/workflows/security-pipeline.yml` exists and is committed +- [ ] Workflow triggered on push and completed (pass or fail) +- [ ] Workflow output shows GHAS alerts were queried +- [ ] At least one issue was created or updated by the workflow +- [ ] Pull request status check shows the security pipeline result + +--- + +## Key Takeaway + +> A Copilot-generated GitHub Actions pipeline turns GHAS from a reporting tool into an enforcement gate — vulnerabilities block merges automatically. + +--- + +**Next**: [Exercise 10 — Fix SQL Injection with Copilot](exercise-10-fix-sql-injection.md) diff --git a/workshop/exercise-10-fix-sql-injection.md b/workshop/exercise-10-fix-sql-injection.md new file mode 100644 index 0000000..787290b --- /dev/null +++ b/workshop/exercise-10-fix-sql-injection.md @@ -0,0 +1,82 @@ +# Exercise 10 — Fix SQL Injection with Copilot + +**Duration**: 10 minutes +**Copilot Feature**: Copilot Agent (Inline) +**Goal**: Use Copilot Agent to apply parameterized queries to all SQL injection points in app.py and confirm GHAS clears the alert. + +--- + +## Background + +SQL injection is the most common critical vulnerability in web applications (OWASP A03:2021). The fix is always the same: separate SQL structure from user data using parameterized queries. Copilot Agent applies this pattern consistently across an entire file — including edge cases you might miss manually. + +--- + +## Step 1 — Open the Vulnerable File + +Open `apps/securetrails-vulnerable/app.py` in VS Code. + +In Copilot Chat (`Ctrl+Alt+I`), attach the file using `#app.py` and paste: + +``` +Find every place in app.py where user input from request.args, request.form, or request.json is used directly in a SQL query string (f-string or + concatenation). +List each location as: function name | line (approx) | the vulnerable line of code. +``` + +Confirm you see at least the `search_trails` function. + +--- + +## Step 2 — Fix with Copilot Agent + +Select the entire contents of `app.py`. Press `Ctrl+I` to open Copilot Inline Edit, then paste: + +``` +Replace every SQL query that concatenates user input with a parameterized query. +Use the ? placeholder for SQLite. Pass user input as a separate tuple argument to execute(). +Do not change anything else in the file. +``` + +Review the diff Copilot proposes. Accept changes. + +--- + +## Step 3 — Verify the Fix Manually + +Check that the pattern is gone. In Copilot Chat, paste: + +``` +Review the updated app.py. Confirm there are no remaining SQL injection vectors — no f-strings or string concatenation used inside execute() calls with user input. +``` + +--- + +## Step 4 — Commit and Push + +```bash +git add apps/securetrails-vulnerable/app.py +git commit -m "fix(security): use parameterized queries to eliminate SQL injection" +git push +``` + +After pushing, navigate to **Security → Code scanning** and wait 5–10 minutes for GHAS to re-scan. The SQL injection alert should move to **Fixed** status. + +--- + +## Verify + +- [ ] All SQL queries in app.py use `?` placeholders +- [ ] No f-strings or string concatenation remain inside `execute()` calls +- [ ] Copilot Chat confirms no remaining SQL injection vectors +- [ ] Fix is committed and pushed +- [ ] CodeQL alert status updated to Fixed (may take 5–10 min) + +--- + +## Key Takeaway + +> Copilot Agent applies a security fix pattern consistently across an entire file — eliminating the risk of missing one vulnerable code path. + +--- + +**Next**: [Exercise 11 — Fix Broken Authentication](exercise-11-fix-auth.md) diff --git a/workshop/exercise-11-fix-auth.md b/workshop/exercise-11-fix-auth.md new file mode 100644 index 0000000..f3515ed --- /dev/null +++ b/workshop/exercise-11-fix-auth.md @@ -0,0 +1,89 @@ +# Exercise 11 — Fix Broken Authentication + +**Duration**: 10 minutes +**Copilot Feature**: Copilot Agent + Copilot Chat +**Goal**: Add ownership checks to the booking endpoints so users cannot access or modify other users' resources. + +--- + +## Background + +Broken Object-Level Authorisation (BOLA/IDOR — OWASP A01:2021) occurs when an endpoint does not verify that the requesting user owns the resource they are accessing. In SecureTrails, users can delete any booking by guessing the booking ID in the URL. The fix is a reusable Flask decorator that checks ownership before the route handler runs. + +--- + +## Step 1 — Identify the Vulnerable Endpoints + +In Copilot Chat with `#app.py` attached, paste: + +``` +List every Flask route in app.py that accepts a resource ID (like booking_id or trail_id) as a URL parameter. +For each, tell me whether the route checks that session['user_id'] matches the owner of that resource before performing the operation. +Mark each as SAFE or VULNERABLE. +``` + +--- + +## Step 2 — Generate a Ownership-Check Decorator + +In Copilot Chat, paste: + +``` +Write a Flask decorator called require_booking_owner that: +1. Reads booking_id from the URL parameter +2. Queries the database to get the booking's user_id +3. Compares it to session['user_id'] +4. Returns a 403 JSON error if they do not match +5. Calls the decorated function only if they match + +Show usage applied to the DELETE /booking/ route. +``` + +--- + +## Step 3 — Apply the Fix with Copilot Agent + +Select the route handler section of `app.py`. Press `Ctrl+I` and paste: + +``` +Add the require_booking_owner decorator (from the code I just generated) to every booking DELETE, PUT, and PATCH route. +Place the decorator definition at the top of the route section, before the first booking route. +``` + +Review and accept the diff. + +--- + +## Step 4 — Commit the Fix + +```bash +git add apps/securetrails-vulnerable/app.py +git commit -m "fix(security): add ownership checks to booking endpoints (BOLA/IDOR)" +git push +``` + +In Copilot Chat, paste: + +``` +Review the updated DELETE /booking/ route in app.py and confirm the ownership check is correctly implemented. Are there any bypass scenarios I should test? +``` + +--- + +## Verify + +- [ ] `require_booking_owner` decorator exists in app.py +- [ ] All booking mutation routes (DELETE, PUT, PATCH) use the decorator +- [ ] Copilot Chat confirms correct implementation +- [ ] Fix is committed and pushed +- [ ] Copilot identified no bypass scenarios in the implementation + +--- + +## Key Takeaway + +> Copilot generates the secure pattern once (a decorator) and applies it consistently — no endpoint gets missed. + +--- + +**Next**: [Exercise 12 — Verify Fixes & Complete the Cycle](exercise-12-verify-complete.md) diff --git a/workshop/exercise-12-verify-complete.md b/workshop/exercise-12-verify-complete.md new file mode 100644 index 0000000..5fc817f --- /dev/null +++ b/workshop/exercise-12-verify-complete.md @@ -0,0 +1,81 @@ +# Exercise 12 — Verify Fixes & Complete the Cycle + +**Duration**: 5 minutes +**Copilot Feature**: Copilot Chat + GHAS +**Goal**: Confirm that GHAS clears the fixed alerts, close the resolved issues, and understand the full detection-to-fix cycle. + +--- + +## Background + +Security work is only complete when the detection tool confirms the fix. GHAS rescans automatically on every push. This final mandatory exercise closes the loop: check alert status, close resolved issues, and use Copilot to generate a summary of what was accomplished — a deliverable you can share with stakeholders. + +--- + +## Step 1 — Check GHAS Alert Status + +Navigate to **Security → Code scanning alerts** in GitHub. + +Alerts for SQL injection and auth issues should show status **Fixed** (or still **Open** if the scan hasn't completed yet — wait 5 minutes and refresh). + +--- + +## Step 2 — Close Resolved Issues + +For each issue created in Exercise 07 that is now fixed, run: + +```bash +gh issue close \ + --comment "Fixed in commit $(git rev-parse --short HEAD). GHAS alert confirmed resolved." +``` + +Or use Copilot CLI: + +```bash +npx @github/copilot -i "List all open GitHub issues in repository Hemavathi15sg/securetrails-workshop with the label 'security'. For any that have been fixed (SQL injection, authentication), close them with a comment referencing the fix commit." +``` + +--- + +## Step 3 — Generate a Stakeholder Summary + +In Copilot Chat, paste: + +``` +Based on this workshop, write a one-page security remediation summary for a non-technical stakeholder. +Include: what vulnerabilities were found, what tools detected them, what was fixed, and what automated guardrails are now in place. +Keep it under 200 words. +``` + +--- + +## Step 4 — Review What Was Built + +In Copilot Chat, paste: + +``` +Summarise the end-to-end security pipeline we built for SecureTrails in this workshop. +List each layer (GHAS, Copilot CLI, Custom Agents, GitHub Actions) and what role it plays. +Which layer catches which type of problem? +``` + +--- + +## Verify + +- [ ] CodeQL SQL injection alert shows status Fixed +- [ ] All resolved GitHub issues are closed with a fix comment +- [ ] Copilot generated a stakeholder summary +- [ ] You can describe all four security layers and their roles + +--- + +## Key Takeaway + +> The detection-to-fix cycle is complete when GHAS confirms the alert is resolved — Copilot accelerates every step from discovery through remediation to sign-off. + +--- + +> You have completed the **Mandatory Track**. Continue with any Optional exercises below based on time and interest. + +**Optional**: [Exercise 13 — Fix XSS Vulnerabilities](exercise-13-fix-xss.md) diff --git a/workshop/exercise-13-fix-xss.md b/workshop/exercise-13-fix-xss.md new file mode 100644 index 0000000..b86c176 --- /dev/null +++ b/workshop/exercise-13-fix-xss.md @@ -0,0 +1,75 @@ +# Exercise 13 — Fix XSS Vulnerabilities + +**Duration**: 10 minutes +**Copilot Feature**: Copilot Agent + Copilot Chat +**Goal**: Eliminate Cross-Site Scripting (XSS) vulnerabilities in the Jinja2 templates by enabling autoescaping and adding Content Security Policy headers. + +--- + +## Background + +XSS (OWASP A03:2021) allows attackers to inject JavaScript into pages viewed by other users. In Jinja2, the risk comes from templates using `{{ variable }}` without the `| e` escape filter or without global autoescaping enabled. Adding a Content Security Policy (CSP) header provides a browser-level second layer of defence. + +--- + +## Step 1 — Identify XSS Vectors in Templates + +Open Copilot Chat with the `templates/` folder attached. Paste: + +``` +Review the Jinja2 templates in the templates folder. +List every {{ variable }} expression that renders user-supplied data without the | e escape filter or Markup() wrapper. +Also check if autoescaping is enabled in the Flask app init. +``` + +--- + +## Step 2 — Enable Flask Autoescaping + +In Copilot Chat with `#app.py` attached, paste: + +``` +Show me how to enable Jinja2 autoescaping for all .html templates when initialising the Flask app. +If the current app has autoescape=False or no autoescape setting, provide the corrected Flask() constructor call. +``` + +Apply the change using `Ctrl+I` inline edit on `app.py`. + +--- + +## Step 3 — Add Content Security Policy Header + +In Copilot Chat, paste: + +``` +Add an after_request hook to the Flask app that sets a Content-Security-Policy response header. +The policy should: allow scripts only from self, disallow inline scripts, disallow eval, allow styles from self. +Show the exact Flask code and explain each CSP directive. +``` + +Apply the change with Copilot Agent. + +--- + +## Step 4 — Commit and Verify + +```bash +git add apps/securetrails-vulnerable/app.py apps/securetrails-vulnerable/templates/ +git commit -m "fix(security): enable Jinja2 autoescaping and add CSP headers" +git push +``` + +--- + +## Verify + +- [ ] Flask app initialises with `autoescape=True` or equivalent +- [ ] CSP `after_request` hook is present in app.py +- [ ] CodeQL XSS alert cleared after push (allow 5–10 min) +- [ ] Copilot Chat confirms no remaining unescaped user output in templates + +--- + +## Key Takeaway + +> Enabling autoescaping once protects every existing and future template — Copilot identifies the gap and applies the fix in one step. diff --git a/workshop/exercise-14-fix-secrets.md b/workshop/exercise-14-fix-secrets.md new file mode 100644 index 0000000..6ba1fa5 --- /dev/null +++ b/workshop/exercise-14-fix-secrets.md @@ -0,0 +1,76 @@ +# Exercise 14 — Fix Hardcoded Secrets + +**Duration**: 5 minutes +**Copilot Feature**: Copilot Agent + Copilot Chat +**Goal**: Move all hardcoded credentials from `config.py` to environment variables and prevent future secret commits with push protection. + +--- + +## Background + +Secrets committed to version control are often exposed to everyone with repo access — and in git history even after deletion. The fix is to move credentials to environment variables loaded at runtime, never hardcoded in source. GHAS push protection then blocks future accidental commits before they land in the repository. + +--- + +## Step 1 — Find All Hardcoded Secrets + +Open Copilot Chat with `#config.py` attached. Paste: + +``` +Identify every hardcoded secret, password, token, or key in config.py. +For each one, tell me: the variable name, what it is (DB password, secret key, etc.), and the correct os.environ.get() replacement with a safe default. +``` + +--- + +## Step 2 — Replace with Environment Variables + +Press `Ctrl+I` on `config.py` and paste: + +``` +Replace every hardcoded secret value with os.environ.get('VARIABLE_NAME', ''). +Add import os at the top if not present. +Do not change any variable names — only replace the hardcoded string values. +``` + +Review and accept the diff. + +--- + +## Step 3 — Create a `.env.example` File + +In Copilot Chat, paste: + +``` +Based on the secrets we just moved to environment variables in config.py, generate a .env.example file that lists all required environment variable names with placeholder values. +This file is safe to commit — it shows developers what variables to set without exposing real values. +``` + +Save the output as `.env.example` at the repository root and add `.env` to `.gitignore`. + +--- + +## Step 4 — Commit + +```bash +echo ".env" >> .gitignore +git add config.py .env.example .gitignore +git commit -m "fix(security): move hardcoded secrets to environment variables" +git push +``` + +--- + +## Verify + +- [ ] `config.py` contains no hardcoded string literals for passwords or keys +- [ ] All secret values are loaded via `os.environ.get()` +- [ ] `.env.example` committed with placeholder values +- [ ] `.env` is listed in `.gitignore` +- [ ] GHAS Secret scanning alert clears after push + +--- + +## Key Takeaway + +> Moving secrets to environment variables takes five minutes with Copilot and permanently removes the most common cause of credential exposure. diff --git a/workshop/exercise-15-update-dependencies.md b/workshop/exercise-15-update-dependencies.md new file mode 100644 index 0000000..7c2ab70 --- /dev/null +++ b/workshop/exercise-15-update-dependencies.md @@ -0,0 +1,69 @@ +# Exercise 15 — Update Vulnerable Dependencies + +**Duration**: 5 minutes +**Copilot Feature**: Copilot Chat + Dependabot +**Goal**: Use Dependabot's automated pull requests to upgrade vulnerable packages and let Copilot explain the CVEs. + +--- + +## Background + +Vulnerable dependencies (OWASP A06:2021) are often the easiest category to fix — the upstream package already has a patched version. Dependabot creates pull requests that update your `requirements.txt` to a safe version. Copilot explains what each CVE means and whether the upgrade could break anything. + +--- + +## Step 1 — Open Dependabot Pull Requests + +Navigate to **Security → Dependabot** in GitHub. Click **Create Dependabot security updates** if no PRs exist yet, or find the auto-generated PRs in the **Pull requests** tab. + +You should see PRs for Flask, requests, and SQLAlchemy. + +--- + +## Step 2 — Ask Copilot About Each CVE + +Open the Dependabot PR for Flask. In Copilot Chat, paste: + +``` +The Flask version in our requirements.txt has a Dependabot alert. +Explain what the CVE is, what an attacker could do with it, and whether upgrading to the patched version is likely to introduce any breaking changes for a small Flask application. +``` + +Repeat for the requests and SQLAlchemy PRs. + +--- + +## Step 3 — Merge the Safe Updates + +For each Dependabot PR where Copilot confirms the upgrade is safe: + +1. Review the diff (only `requirements.txt` should change) +2. Click **Merge pull request** + +For any upgrade Copilot flags as potentially breaking, add a comment on the PR: + +```bash +gh pr comment --body "Needs compatibility review before merge — see Copilot analysis." +``` + +--- + +## Step 4 — Verify Dependabot Alerts Clear + +After merging, navigate to **Security → Dependabot alerts**. Fixed alerts should show status **Fixed**. + +--- + +## Verify + +- [ ] You reviewed at least 2 Dependabot PRs +- [ ] Copilot explained the CVE for each alert +- [ ] At least one Dependabot PR merged successfully +- [ ] `requirements.txt` contains updated package versions +- [ ] Dependabot alert count decreased after merge + +--- + +## Key Takeaway + +> Dependabot automates the detection and the fix PR — Copilot tells you if it's safe to merge, removing the last barrier to acting on dependency vulnerabilities. diff --git a/workshop/exercise-16-security-tests.md b/workshop/exercise-16-security-tests.md new file mode 100644 index 0000000..6595ca9 --- /dev/null +++ b/workshop/exercise-16-security-tests.md @@ -0,0 +1,85 @@ +# Exercise 16 — Write Security Tests with Copilot + +**Duration**: 10 minutes +**Copilot Feature**: Copilot Agent (Test Generation) +**Goal**: Generate a security test suite that proves each vulnerability is fixed and would catch regressions. + +--- + +## Background + +A fix without a regression test can silently break again in a future commit. Security tests are distinct from functional tests — they verify that malicious inputs are rejected, not just that happy-path inputs succeed. Copilot can generate these tests from a description of the attack, making it straightforward to add coverage for every vulnerability you fixed. + +--- + +## Step 1 — Generate SQL Injection Tests + +In Copilot Chat with `#app.py` attached, paste: + +``` +Generate pytest test cases for the search_trails endpoint that prove SQL injection is prevented. +Include tests using these payloads: "' OR '1'='1", "1; DROP TABLE trails; --", "' UNION SELECT * FROM users--". +Each test should assert that the response does not return data it should not, or that the server returns a 400/500 without exposing a stack trace. +``` + +--- + +## Step 2 — Generate Auth Bypass Tests + +In Copilot Chat, paste: + +``` +Generate pytest test cases for the DELETE /booking/ endpoint to prove BOLA is prevented. +The tests should: +1. Create two test users (user_a and user_b) +2. Create a booking owned by user_b +3. Attempt to delete it as user_a +4. Assert the response is 403 Forbidden +5. Assert the booking still exists in the database +``` + +--- + +## Step 3 — Save and Run the Tests + +Copilot will generate a test file. Save it as `apps/securetrails-vulnerable/tests/test_security.py`. + +Run the tests: + +```bash +cd apps/securetrails-vulnerable +pip install pytest +pytest tests/test_security.py -v +``` + +All tests should pass. If any fail, use Copilot to diagnose: + +``` +A pytest test for SQL injection prevention is failing with this error: [paste error]. +What does this indicate — is the fix incomplete or is the test incorrect? +``` + +--- + +## Step 4 — Commit the Test Suite + +```bash +git add apps/securetrails-vulnerable/tests/ +git commit -m "test(security): add regression tests for SQL injection and BOLA fixes" +git push +``` + +--- + +## Verify + +- [ ] `tests/test_security.py` exists with at least 4 security test cases +- [ ] All tests pass locally (`pytest tests/test_security.py -v`) +- [ ] At least one test uses a SQL injection payload as input +- [ ] At least one test verifies a 403 response for unauthorised access + +--- + +## Key Takeaway + +> Security tests generated by Copilot turn a one-time fix into a permanent guard — any future regression is caught automatically in CI. diff --git a/workshop/exercise-17-security-docs.md b/workshop/exercise-17-security-docs.md new file mode 100644 index 0000000..51b1092 --- /dev/null +++ b/workshop/exercise-17-security-docs.md @@ -0,0 +1,89 @@ +# Exercise 17 — Security Policy & Compliance Documentation + +**Duration**: 10 minutes +**Copilot Feature**: Copilot Chat (Document Generation) +**Goal**: Use Copilot to generate a SECURITY.md policy and an OWASP compliance checklist for the repository. + +--- + +## Background + +Automated tooling catches vulnerabilities — documentation ensures the team knows how to respond to them and how the pipeline works. A `SECURITY.md` file at the repository root tells contributors how to report vulnerabilities. An OWASP checklist documents your current coverage across the Top 10. Both are Copilot-generated in minutes and become permanent repository assets. + +--- + +## Step 1 — Generate SECURITY.md + +In Copilot Chat, paste: + +``` +Generate a SECURITY.md file for the SecureTrails repository. +Include sections for: +- How to report a vulnerability (private disclosure email or GitHub private advisory) +- Response timeline (acknowledgement within 48h, patch within 14 days for critical) +- Supported versions (only latest main branch) +- How automated scanning works (GHAS, Dependabot, GitHub Actions pipeline) +- How developers should use the custom agents in .github/agents/ when fixing vulnerabilities +``` + +Save the output as `SECURITY.md` at the repository root. + +--- + +## Step 2 — Generate OWASP Top 10 Coverage Checklist + +In Copilot Chat, paste: + +``` +Generate an OWASP Top 10 (2021 edition) compliance checklist for SecureTrails. +For each of the 10 categories, state: +- Whether SecureTrails was vulnerable (Yes / Partially / No) +- What we did to address it in this workshop +- What automated control is now in place (GHAS / GitHub Actions / test coverage) +Format as a markdown table. +``` + +Save the output as `docs/owasp-coverage.md`. + +--- + +## Step 3 — Add a Developer Quick-Reference + +In Copilot Chat, paste: + +``` +Write a 10-line quick-reference section for developers explaining: +1. How to run a security check locally before pushing +2. What to do if their PR fails the security pipeline +3. Which custom agent to open for which vulnerability type +4. Who to contact for security questions + +Keep it short enough to paste into a README or Confluence page. +``` + +Add this as the last section of `SECURITY.md`. + +--- + +## Step 4 — Commit the Documentation + +```bash +git add SECURITY.md docs/owasp-coverage.md +git commit -m "docs(security): add SECURITY.md policy and OWASP coverage checklist" +git push +``` + +--- + +## Verify + +- [ ] `SECURITY.md` exists at repo root with vulnerability disclosure instructions +- [ ] `docs/owasp-coverage.md` contains OWASP Top 10 table with coverage status +- [ ] Developer quick-reference section present in `SECURITY.md` +- [ ] Both files committed and visible on GitHub + +--- + +## Key Takeaway + +> Copilot generates compliance documentation in minutes — turning your security controls into auditable, stakeholder-ready evidence.