Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
118 changes: 67 additions & 51 deletions README.md
Original file line number Diff line number Diff line change
@@ -1,84 +1,100 @@
# 🔐 SecureTrails - GitHub Security Workshop
# Security Engineering with GitHub Copilot — Workshop

![Duration: 2 Hours](https://img.shields.io/badge/Duration-2%20Hours-blue)
![Level: Intermediate](https://img.shields.io/badge/Level-Intermediate-orange)
![GitHub](https://img.shields.io/badge/GitHub-Security-green)
> **Audience**: Developers and security engineers who want to integrate GitHub Copilot into a real security workflow
> **Total Duration**: ~50 min mandatory + ~30 min optional (see two-track map below)
> **Pre-requisites**: VS Code with GitHub Copilot Chat extension, Python 3.9+, Git CLI, GitHub CLI, GitHub Copilot access, GitHub MCP, Mermaid extension for VS Code.

---

## 📖 The Story
## What You Will Build

Welcome to **SecureTrails**, a popular travel booking and trail management platform! Founded in 2018, our platform connects millions of adventure enthusiasts with curated hiking, trekking, and adventure trails worldwide.
You will secure **SecureTrails** — a deliberately vulnerable Flask trail-booking application — using GitHub's complete security ecosystem. Every vulnerability is detected, analysed, and fixed by directing Copilot through prompts. You do not write code from scratch.

However, our security posture has been neglected. GitHub's Advanced Security scans have recently flagged critical vulnerabilities in our codebase:
The workshop spans the full detection-to-fix cycle: GitHub Advanced Security finds the issues, Copilot CLI explains them, Custom Agents guide remediation, and GitHub Actions enforces the pipeline on every push.

- 🔴 **SQL Injection** in our database query layer
- 🔴 **Broken Authentication** in user permission validation
- 🔴 **Hardcoded Secrets** in environment files
- 🔴 **Vulnerable Dependencies** in our Python packages
**Core capabilities from [`requirement.md`](requirement.md):**

As a newly hired Security Engineer at SecureTrails, your mission is to **audit, analyze, and remediate these vulnerabilities** using GitHub's complete security ecosystem. We need to secure our platform before the peak season when millions of users rely on us.
| Capability | Description |
|---|---|
| **GHAS Detection** | CodeQL, Secret Scanning, and Dependabot scan automatically on every push |
| **Copilot CLI Analysis** | Interactive multi-turn sessions explain vulnerabilities and fix patterns |
| **Custom Agents** | Reusable `.agent.md` guides scoped to each vulnerability class |
| **Actions Enforcement** | Workflow blocks PR merges when critical alerts are open |
| **Copilot Agent Fixes** | Inline edits apply secure patterns across entire files in one step |

---

## 🎯 Workshop Objectives
## Prerequisites

By the end of this 2-hour workshop, you will:

✅ Understand GitHub's native security features (GHAS, CodeQL, Secret Scanning, Dependabot)
✅ Use Copilot CLI for interactive vulnerability analysis
✅ Create custom security agents to guide fix remediation
✅ Automate security workflows with GitHub Actions
✅ Deploy a complete, repeatable security strategy
- VS Code with GitHub Copilot and GitHub Copilot Chat extensions installed and signed in
- Python 3.9+ and pip
- Git 2.40+
- GitHub CLI (`gh`) v2.0+ — authenticated with `gh auth login`
- GitHub Copilot access (individual or organisation licence)
- Node.js (for `npx @github/copilot` in Exercises 06–08)

---

## 🛠️ Prerequisites

### Required Tools

- **Visual Studio Code** (latest version)
- **GitHub Copilot CLI** (`npx @github/copilot`)
- **GitHub CLI** (`gh` v2.0+)
- **Git** (v2.40+)

### Authentication
## Workshop Map

- **GitHub Account** (with Copilot access)
- **GitHub Authentication** (`gh auth login`)
> **Two-Track Design**: Complete the **Mandatory Track** first (~50 min), then pick any **Optional** exercises based on time and interest.

### Access
---

- Clone of **SecureTrails** vulnerable app: `https://github.com/Hemavathi15sg/securetrails-workshop`
### Mandatory Track (~50 minutes)

| # | Exercise | Copilot Feature | Duration |
|---|----------|----------------|----------|
| 01 | [Prerequisites & Setup](workshop/exercise-01-setup.md) | Copilot Chat | 5 min |
| 02 | [Explore the Vulnerable Application](workshop/exercise-02-explore-app.md) | Copilot Chat (Explain) | 5 min |
| 03 | [Enable GitHub Advanced Security](workshop/exercise-03-enable-ghas.md) | GitHub Native Security | 10 min |
| 04 | [Review CodeQL Findings & Autofix](workshop/exercise-04-codeql-findings.md) | Copilot Autofix | 10 min |
| 05 | [Review Secret Scanning & Dependabot](workshop/exercise-05-secrets-dependabot.md) | GHAS | 5 min |
| 06 | [Copilot CLI Interactive Analysis](workshop/exercise-06-copilot-cli-analysis.md) | Copilot CLI | 10 min |
| 07 | [Create GitHub Issues from Findings](workshop/exercise-07-create-issues.md) | Copilot CLI + GitHub MCP | 5 min |
| 08 | [Create Custom Security Agents](workshop/exercise-08-custom-agents.md) | Copilot Custom Agents | 10 min |
| 09 | [GitHub Actions Security Pipeline](workshop/exercise-09-actions-pipeline.md) | Copilot Agent (Agent Mode) | 10 min |
| 10 | [Fix SQL Injection with Copilot](workshop/exercise-10-fix-sql-injection.md) | Copilot Agent (Inline) | 10 min |
| 11 | [Fix Broken Authentication](workshop/exercise-11-fix-auth.md) | Copilot Agent + Chat | 10 min |
| 12 | [Verify Fixes & Complete the Cycle](workshop/exercise-12-verify-complete.md) | Copilot Chat + GHAS | 5 min |

---

## 📚 Workshop Exercises
### Optional Track (~30 minutes — pick any, in any order)

| # | Exercise | Copilot Feature | Duration | Best After |
|---|----------|----------------|----------|------------|
| 13 | [Fix XSS Vulnerabilities](workshop/exercise-13-fix-xss.md) | Copilot Agent + Chat | 10 min | Ex 04 |
| 14 | [Fix Hardcoded Secrets](workshop/exercise-14-fix-secrets.md) | Copilot Agent + Chat | 5 min | Ex 05 |
| 15 | [Update Vulnerable Dependencies](workshop/exercise-15-update-dependencies.md) | Copilot Chat + Dependabot | 5 min | Ex 05 |
| 16 | [Write Security Tests](workshop/exercise-16-security-tests.md) | Copilot Agent (Test Gen) | 10 min | Ex 10 |
| 17 | [Security Policy & Compliance Docs](workshop/exercise-17-security-docs.md) | Copilot Chat (Docs) | 10 min | Ex 12 |

| # | Exercise | Duration | Level | Focus | What You'll Do |
|---|----------|----------|-------|-------|---|
| 0 | [Prerequisites & Setup](./docs/0-prereqs.md) | 10 min | ⭐ | Setup | Install tools, authenticate with GitHub |
| 1 | [GitHub NATIVE Security (GHAS)](./docs/1-github-native-security.md) | 20 min | ⭐⭐ | Detection | Enable GHAS, review CodeQL findings, secrets, Dependabot alerts |
| 2 | [Copilot CLI - Interactive Analysis](./docs/2-copilot-cli-interactive.md) | 20 min | ⭐⭐⭐ | Analysis | Use Copilot CLI to analyze vulnerabilities, create GitHub issues |
| 3 | [Create Custom Agents](./docs/3-custom-agents-creation.md) | 20 min | ⭐⭐⭐⭐ | Documentation | Build fix guides using Copilot CLI `/agents` system |
| 4 | [GitHub Actions Integration](./docs/4-github-actions-orchestration.md) | 20 min | ⭐⭐⭐⭐ | Automation | Orchestrate GHAS → Issues → Agents → Workflows |
| 5 | [Real-World Ecosystem](./docs/5-real-world-ecosystem.md) | 20 min | ⭐⭐⭐⭐⭐ | Deployment | Deploy complete security strategy end-to-end |
> Exercises 13–15 fix vulnerabilities not covered in the mandatory track. Complete at least one of 13–15 before 16 to have a fixed codebase to write tests against.

---

## 📚 Related Resources
## Key GitHub Copilot Features Covered

- [GitHub Advanced Security Docs](https://docs.github.com/en/enterprise-cloud@latest/code-security)
- [Copilot CLI Documentation](https://docs.github.com/en/copilot/github-copilot-cli/about-github-copilot-cli)
- [GitHub CodeQL](https://codeql.github.com/)
- [Dependabot Alerts](https://docs.github.com/en/code-security/dependabot)
- [Secret Scanning](https://docs.github.com/en/code-security/secret-scanning)
| Feature | Description |
|---------|-------------|
| **Copilot Chat (Explain)** | Conversational code exploration and attack surface mapping |
| **Copilot Autofix** | One-click patch generation directly on GHAS alert pages |
| **Copilot CLI (Interactive)** | Multi-turn terminal sessions for vulnerability deep-dives |
| **Copilot Agent (Inline)** | Applies secure coding patterns across entire files |
| **Custom Agents** | Reusable `.agent.md` files scoped to specific vulnerability classes |

---

**Ready to secure SecureTrails?**
## Getting Started

## [→ Start with Exercise 0: Prerequisites & Setup](./docs/0-prereqs.md)
1. Clone the repository: `git clone https://github.com/Hemavathi15sg/securetrails-workshop.git`
1. Open in VS Code: `code securetrails-workshop`
1. Ensure **GitHub Copilot** and **GitHub Copilot Chat** extensions are installed and signed in
1. Open the Copilot Chat panel (`Ctrl+Alt+I`)
1. Start with [Exercise 01](workshop/exercise-01-setup.md)

---

> **Instructor Note**: Each exercise has an `<!-- Instructor Guide: ... -->` comment in the markdown source. Exercises are designed so attendees never write code — they copy **prompts** and let Copilot generate the output.

83 changes: 83 additions & 0 deletions workshop/exercise-01-setup.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,83 @@
# Exercise 01 — Prerequisites & Setup

**Duration**: 5 minutes
**Copilot Feature**: GitHub Copilot Chat
**Goal**: Verify all tools are installed and the SecureTrails repository is open and ready.

---

## Background

This workshop secures **SecureTrails**, a deliberately vulnerable Flask trail-booking app. You will not write code — you will direct GitHub Copilot to detect and fix security vulnerabilities across the full SDLC. This exercise confirms your environment is ready before any security work begins.

---

## Step 1 — Verify Required Tools

Open a terminal and run:

```bash
code --version
python --version
git --version
gh --version
```

> **Tip**: If any tool is missing — VS Code: code.visualstudio.com | Python: python.org | Git: git-scm.com | GitHub CLI: cli.github.com

---

## Step 2 — Authenticate GitHub CLI

```bash
gh auth login
```

Select **HTTPS** and **Login with a web browser**. Verify:

```bash
gh auth status
```

Expected: `Logged in to github.com as <your-username>`

---

## Step 3 — Clone & Open the Repository

```bash
git clone https://github.com/Hemavathi15sg/securetrails-workshop.git
cd securetrails-workshop
code .
```

---

## Step 4 — Open Copilot Chat

In VS Code press `Ctrl+Alt+I` to open the Copilot Chat panel. Confirm it is signed in.

Copy and paste the following prompt into the chat:

```
I just opened the securetrails-workshop repository. Summarize the purpose of this Flask application and list the top files I should review for a security audit.
```

---

## Verify

- [ ] All four tools print a version number
- [ ] `gh auth status` shows your GitHub account
- [ ] Repository is open in VS Code
- [ ] Copilot Chat responds with an app summary

---

## Key Takeaway

> A verified environment with authenticated GitHub CLI and Copilot Chat is the prerequisite for every security exercise that follows.

---

**Next**: [Exercise 02 — Explore the Vulnerable Application](exercise-02-explore-app.md)
66 changes: 66 additions & 0 deletions workshop/exercise-02-explore-app.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,66 @@
# Exercise 02 — Explore the Vulnerable Application

**Duration**: 5 minutes
**Copilot Feature**: Copilot Chat (Explain)
**Goal**: Use Copilot to understand what SecureTrails does and identify its attack surface before scanning.

---

## Background

Before running any security tools, a security engineer reads the codebase to understand what it does. Copilot Chat's `/explain` capability lets you do this conversationally — no line-by-line reading required. This exercise maps the attack surface so later findings make sense in context.

---

## Step 1 — Understand the Application Structure

Open `apps/securetrails-vulnerable/app.py` in the editor. Then open Copilot Chat and paste:

```
Explain what this Flask application does. List every route, what data each route reads or writes, and what user inputs are accepted. Focus on anything that touches the database or renders user-supplied data.
```

---

## Step 2 — Identify the Attack Surface

In Copilot Chat, paste:

```
Based on app.py, database.py, and the templates folder, list all the places where:
1. User input is used in database queries
2. User-supplied content is rendered in HTML
3. Credentials or secrets appear in source code
4. Session or authentication checks are performed

Format each finding as: File | Line (approx) | Risk type
```

---

## Step 3 — Review the Dependencies

Open `apps/securetrails-vulnerable/requirements.txt` in the editor. Paste into Copilot Chat:

```
Review this requirements.txt. For each package, tell me the pinned version and whether that version has any known critical or high CVEs. List packages that should be updated immediately.
```

---

## Verify

- [ ] Copilot identified at least 3 routes that accept user input
- [ ] Copilot flagged at least one location where user input touches SQL
- [ ] Copilot flagged at least one outdated dependency
- [ ] You can name the two main vulnerability types present in this app

---

## Key Takeaway

> Copilot Chat turns codebase exploration into a conversation — you understand the attack surface in minutes instead of hours.

---

**Next**: [Exercise 03 — Enable GitHub Advanced Security](exercise-03-enable-ghas.md)
78 changes: 78 additions & 0 deletions workshop/exercise-03-enable-ghas.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,78 @@
# Exercise 03 — Enable GitHub Advanced Security

**Duration**: 10 minutes
**Copilot Feature**: GitHub Native Security (GHAS)
**Goal**: Enable CodeQL, Secret Scanning, Dependabot, and Code Quality on the SecureTrails repository.

---

## Background

GitHub Advanced Security (GHAS) is a set of built-in scanning services that run on GitHub's servers — no custom tooling required. Enabling it gives you automated detection of code vulnerabilities, hardcoded secrets, and vulnerable dependencies on every push. This exercise activates GHAS so you have real findings to work with.

---

## Step 1 — Navigate to Security Settings

In your GitHub repository, click the **Security** tab, then go to **Settings → Code Security**.

Enable the following:

- **Dependabot alerts** — ON
- **Dependabot security updates** — ON
- **Code scanning (CodeQL)** — ON (use Default setup)
- **Secret scanning** — ON
- **Push protection** — ON

> **Tip**: Push protection blocks commits that contain secrets before they ever reach the repository.

---

## Step 2 — Enable Code Quality Preview

In Settings, scroll to **Code quality (preview)** and enable it. This adds maintainability and bug-detection signals alongside security findings.

---

## Step 3 — Confirm Scanning Has Started

After enabling, navigate to **Security → Code scanning**. Within 2–5 minutes you should see the first CodeQL scan running or completed.

> **Note**: If this is a fresh fork, push any small change (e.g., add a blank line to README) to trigger the first scan.

```bash
echo "" >> README.md
git add README.md
git commit -m "chore: trigger initial GHAS scan"
git push
```

---

## Step 4 — Ask Copilot What GHAS Provides

In Copilot Chat, paste:

```
Explain what GitHub Advanced Security (GHAS) scans for automatically. What is CodeQL, what is Secret Scanning, and what is Dependabot? How are they different from running a linter?
```

---

## Verify

- [ ] Dependabot alerts are enabled
- [ ] CodeQL scanning is enabled (Default setup)
- [ ] Secret scanning and push protection are ON
- [ ] Code scanning tab shows a scan running or completed
- [ ] You can explain the difference between CodeQL and Dependabot

---

## Key Takeaway

> Enabling GHAS takes under five minutes and gives your repository continuous, automated security scanning without writing a single line of custom tooling.

---

**Next**: [Exercise 04 — Review CodeQL Findings & Autofix](exercise-04-codeql-findings.md)
Loading
Loading